IDrive Remote Backup
Hacking / Phishing Malware / Spyware / Virus Malwarebytes Scams SuperAntispyware Troubleshooting | Tech Geek and More

Archive for Malwarebytes

How to – Removing Security Shield (Fake Antivirus) Malware

Posted on March 18, 2012 by

computer  After a quiet couple of months, where Fake Antivirus pop up’s stopped being a daily issue in tech support, this week we had the return of an oldie but goodie.

We received calls from a couple of clients with a pop up for the “Green Dot Security Shield”. After comparing what each client was doing, we believe that the pop up most likely came while each client was browsing the same “Major Website” (I will not list the website as of now, since we CANT prove our theory, but the suspected site has been notified). Remember, Pop up’s like these can occur surfing any part of the internet, it does not just happen to those who surf the shady side of the web.

What do you see when your get infected

While browsing, what you will see is a pop up (like this example), that looks like an Antivirus program with a message that infected files have been found.  This is why it is important to know what Antivirus / Antimalware software you have installed and what it looks like.

green shield fake av

Once you have this pop up on the screen, what you will find is that you will be unable to open various programs (like your actual malware cleaner), as this pop up starts making changes to your pc.  If you get to this stage, you NEVER NEVER NEVER want to click on any part of the window or any corresponding messages, because even messages that say ignore or skip will actually continue to infect your pc. What you need to do is power off your pc, and then start in safe mode. To get to safe mode, press F8 key over and over as soon as you power on your pc until you get the safe mode message. At which point select “safe mode with networking” (Example below).

image

Once you get booted in safe mode with networking, launch CCleaner. If you don’t have it already installed you can download it from the (LINK) Piriform (http://www NULL.piriform NULL.com/ccleaner) website.  Once installed, and opened, go to Tools (on left side) then select Startup. This will show you a complete look at everything you have starting on your pc.

image

You want to look for a lines for programs that are set to start automatically with names like qfhsl.exe. (Your line may be use a different name, and there may be more than one). If you are not sure if the .exe file is legit or not, use one of the search engines (like Google or Bing) and search for each .exe name.

image

If you are not sure if an item is legit or not disable it, if you know the item is NOT legit then you can delete it right from the CCleaner application. In addition, if you know that the file is not legit, make a note of the listed location and go to that location and manually delete the file as well, as in this example for qfhsl.exe

image

This specific Green Dot Malware can be found in

C:\Documents and Settings\(User name of the signed in user at time of infection)\Local Settings\Application Data\ (for XP)

C:\Users\(User name of the signed in user at the time of infection)\AppData\Local (for Windows Vista and Windows 7)

Additional Clean Up Steps

Once you have taken these steps, you must still run your Antimalware programs to make sure whatever is left behind gets cleaned up. The 2 programs I can recommend are Superantispyware and Malwarebytes.  If you don’t already have these 2 programs installed, go to (LINK) Ninite (http://ninite NULL.com/) to download and install them

image

Once installed, I recommend running Superantispyware first. When you launch the program, before starting the scan, select Check for Updates and let the program update to the latest signature files. (The Database Status should say “Updated X minutes ago)

image

Once your system is updated run a complete scan on all your drives. Once the scan completes, select all items found and click on the remove button. Once all those items are removed, you will get prompted to reboot, at this point select NO.  Instead of the reboot, start Malwarebytes.

Once Malwarebytes starts, click on the Update tab and select Check for Updates and let the software update the signature files.

image

After the software update completes, go back to the scanner tab and select “Perform a full scan”

image

Again, once the full scan completes, select all items found and click on remove.  After you have run both programs and removed all items found, you can reboot your pc and your system should now be clean of the “Green Dot” Malware.

One additional step you may want to take at this point is to uninstall and reinstall your Antivirus software, as many of these malware attacks break the antivirus software, make sure you have the software to reinstall prior to removing the software and if you need to replace your software, you can download free Antivirus software from the (LINK) Ninite (http://ninite NULL.com/) site.

image

Just pick one of the Antivirus choices under the security section.

- (Microsoft Security) Essentials

- Avast

- AVG

All 3 are free for home use.

Software: What to do Before / During / After a Malware infection.

Posted on April 3, 2011 by

computer virus This Malware thing is becoming such a common issue that its driving me up the wall (In My opinion).  I’ve been ask by many customers if its just tech’s creating these malware infections for job security.  Let me tell you that I can promise you no tech worth his knowledge wants this kind of job security.  (End of my Soapbox)

So what do you do with your computer to give you a fighting chance?  Here is what you should do

Now that your pc is not infected

1 – Verify that you have “Fairly recent”* version of antivirus software installed, and that the AV software at is installed is running the latest Definitions possible.

a – *What do I mean by fairly recent, if you find your antivirus software and it says anything less than 2009 in the name (as in Norton 2005, McAfee 2003, etc.) then its to old.  Antivirus software that old will just not have the information needed to keep up with the ever changing landscape

b – If its older than 2009, then I recommend just uninstalling it, and downloading a free Antivirus offering.  (See the next answer for recommendation)

c – What if you find that you don’t even have antivirus installed or that the one you have is old.  I recommend visiting www.ninite.com (http://www NULL.ninite NULL.com).  There you will find a selection of Free Up to Date antivirus offerings.  There are a couple of offerings, I would recommend MSE (Microsoft Security Essentials), but you would not do bad with any of the ones listed.  Its at least better than the situation you were in.  All you need to do is put a check next to one you select, then at the bottom select “Get Installer”, and hit run when prompted.  It should download and install it for you.

image

**Remember to uninstall any old antivirus before installing its replacement, as pc’s don’t like to have 2 AV software running at the same time.

2 – Now that we have the AV situation address, you now need to add 2 pieces of free software to your install.  It is hoped that you never need to use them but it makes life much easier if you install them now, before you get infected.  (Think about it like car insurance, you don’t want to try and get the insurance after crash, same thing applies here for the software).

a – Go back to www.ninite.com (http://www NULL.ninite NULL.com) and select Malwarebytes and SuperAntiSpyware. Click on the “Get Installer” button at the bottom and then click run when prompted.  That should install both.

image

image

b – Once installed you want to open each of the 2 programs you just installed at least once to make sure they installed correctly, and also to update the programs to the latest definition files. You should also run a full scan with each of the 2 programs on all hard drives.  To make sure that nothing is hiding in your system.

c – If either Malwarebytes or SuperAntiSpyware finds anything during its scans it will tell you at the end and very simply help you clean up your pc.  (Just select the infected files found and select remove infected)

3 -   Lastly, go back to www.ninite.com (http://www NULL.ninite NULL.com) , and select the following files

image

image

  • QuickTime
  • Flash
  • Flash (IE)
  • Java
  • .NET
  • Silverlight
  • Air
  • Adobe Reader

These are all programs that most average users have installed, and vulnerabilities in old versions of these programs are some of the most common ways that many of the bad guys use to infect pc’s. Once you have all of these selected, click on “Get Installer” and then click on run when prompted.

image

You may notice that I list www.ninite.com (http://www NULL.ninite NULL.com) a lot in the options above.  Just to make it clear, Tech Geek and More has no direct or indirect participation with ninite.  Ninite is just a TGM recommended site, because they make updates simple, opposed to having to visit multiple sites to get the the updates accomplished. In addition, TGM appreciates the fact that when you install these programs via Ninite, they do not install Toolbars, or other junk that drives all Techs crazy (as we have to constantly uninstall Junk).

 

What to do once you do get infected

Unfortunately, even with taking every precaution imaginable its still possible to get infected. At the point of being infect here is what you need to do

1 – DON’T PANIC! (Seriously, if you panic you will not remember to follow the following steps and will probably make things worse)

2 – Immediately shut down the pc.

a – Try to do it by clicking on Start – Shutdown – Shutdown on the screen and if that doesn’t work, then just hold the power button on the pc until the pc powers off.

3 – Once the pc is off, power it back on and as soon as pc starts to boot press F8 over and over, until you get to the safe mode screen choices, use the up/down arrow to select safe mode with networking and hit enter

image

**Keep in mind that in safe mode your pc will look a little “odd”, that is normal.**

4 – Once you get into your pc, Go to start –> settings –> control panel –> and click on internet options –> then go to connections tab –> and click on LAN settings (toward bottom) and make sure nothing in that window is checked, if it is uncheck it, then click ok

image

5 – At this point if you have not installed SuperAntiSpyware or Malwarebytes, go to Step#2 under “Now that your pc is not infected” (above) and follow those steps to install both programs.

6 – Once installed, start by running SuperAntispyware, and when prompted select yes to update definition files. Once definitions are updated, run a Full Scan on all your Hard Drives (That would be any drive that doesn’t hold a CD or DVD).

image

image

The scan will probably take 1 hour on most average sized drives (Average = 320 gig drives). Once scan is completed, select all files that show infected and then click on remove select.  That covers part of the process.  Now to the next part.

DO NOT REBOOT IF PROMPTED

7 – Now start Malwarebytes, and when prompted say yes to updating the definition file.

image

8 – Once updated, select Perform full scan and hit select

image

You will then be asked to select your drives, select all drives that don’t use CD or DVD and press Scan

image

The scan will probably take 1 hour on most average sized drives (Average = 320 gig drives). Once scan is completed, select all files that show infected and then click on remove select.  That covers part of the process.  Now to the next part.

IF PROMPTED AGAIN –> DO NOT REBOOT
9 – Now in Windows –> Go to start –> run –> and type msconfig
a – This opens the msconfig window.  Under the start up tab –> Uncheck all items listed.  (DO NOT touch any of the other tabs) and click ok.

image

IF PROMPTED TO REBOOT –> AGAIN SAY NO

There is 1 more step.
10 – Open up My computer and go to –> c:\ drive –> windows folder –> system32 folder –> drivers folder –> etc. folder and in that location find a file called hosts and double click it, when prompted select to open with notepad.

image

Once the file opens look for the following line “#    127.0.0.1       localhost”

image

As shown in the example anything below the 1st 127.0.0.1 needs to be deleted.  Then save your changes by clicking on File –> Save.

Once you have done all this reboot.

After the clean up in safe mode

After the clean up in safe mode, and the reboot, there are still a couple of things you need to do.

1 – You will need to reinstall your Antivirus product.  If you were infected, there is a chance that your AV product is compromised, if nothing else, it just makes sure its complete or gives you a choice to pick a new AV package. This is especially important if your AV software is a few years old.  Make sure to uninstall then reinstall.

2 – Using the Step#3 in the “Now that your pc is not infected” section. Make sure you update the programs listed in that section.

With that you should be back up and running.

computer-virus.jpg

Alerta: Mensaje en Espanol de correo electronico que es un Virus de computadora

Posted on March 22, 2010 by

Desde el inicio de Tech Geek and More, uno de los ejes más grandes ha involucrado virus de computadors (que se llaman Rogueware o Malware). Rogueware y malware pueden infectar un pc a través de diversas maneras (visitar sitios del Web, haga clic en vínculos, a través de correos electrónicos, o mas….). Hasta ahora, todas las advertencias de correo electrónico cubierto correos electrónicos en inglés, porque eso es lo que se sabia que existia.  Sin embargo por ahora puedo informar oficialmente que los correos electrónicos son ahora multi-lenguaje.  Esta noche he recibido un correo electrónico (que me mando un miembro de familia) que dice “Amix, esto tienes probarlo”.

spanish malware email

La versión en inglés del correo electrónico se a visto por un tiempo, “Cheques para ver quien te está bloqueando en MSN”.  El gancho del ser que si puede clic en el enlace proporcionado en el correo electrónico, que podrá ver (supuestamente) que ha le bloqueado de su lista de MSN Messenger.  Como se señaló mirando el origen del correo electrónico (abajo), es casi una traducción exacta de la versión en inglés, afirmando que si se mira el enlace usted será capaz de ver que está bloqueando le (bloquear las direcciones de internet dentro de la fuente del correo electrónico)

email source

Lo que realmente hace el vínculo es instalar una versión de Antivirus2009 (o 2010) que produce una gran cantidad de dolores de cabeza para el usuario y normalmente requiere un tecnología para limpiar o reinstalar el equipo.  Si tienes amigos ni familia de habla española, le recomendamos encarecidamente que Hágales saber no se van a abrir este correo electrónico y a sólo la lista como correo no deseado y elimínelo.  Si ya han abierto el correo electrónico, pueden utilizar programas como la versión gratuita de SuperAntiSpyware (http://www NULL.superantispyware NULL.com/superantispywarefreevspro NULL.html) o la versión gratuita de Malwarebytes (http://www NULL.malwarebytes NULL.org).

Alert: Malware emails are not just in English – They also exist in Spanish.

Posted on March 22, 2010 by

computer virus Since the start of TechGeekandMore one of the biggest focuses has involved Malware and Rogueware. Malware and Rogueware can infect a pc via various ways (visiting websites, clicking on links, via emails, etc….). Until now, all the email warnings covered English language emails, because that’s what was known to exist.  However as of now I can officially report that those emails are now multi-language.  This evening I received an email (from a Spanish speaking family member) that says “Amix, esto tienes que probarlo”, which loosely translates to “Buddy, You have to check this out”. 

spanish malware email

     The English version of the email has been a regular for a while, “Checking to see who is blocking you on messenger”.  The hook being that if you click on the provided link in the email, that you will be able to see (supposedly) who has you blocked from their MSN Messenger list.  As noted while looking at the email source (below), it is almost an exact translation of the English version, claiming that if you look at the link you will be able to see who is blocking you (I did block the internet addresses within the source of the email) 

email source

     What the link actually does is install a version of Antivirus2009 (or 2010) which causes a lot of headaches for the user and normally requires a tech to clean up or reinstall your computer.  If you have any Spanish speaking family or friends, we highly recommend that you let them know NOT to open this email, and to just list it as junk mail and delete it.  If they have already opened the email, they can use programs like the free version of SuperAntiSpyware (LINK: http://www.superantispyware.com/superantispywarefreevspro.html (http://www NULL.superantispyware NULL.com/superantispywarefreevspro NULL.html)) or the free version of Malwarebytes (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)).

How to: What to do if you get a virus or malware via a pop up message

Posted on November 23, 2009 by

computer virus There have been many posts on TechGeekandMore concerning viruses, spyware, malware, and scareware.  If you wonder why, its because as a tech, the number one question and the number one support call that I will take involves pc’s that have already been infected (because the user didn’t know any better) and what to do to clean up the pc. 

     Sometimes the infection isn’t really bad and a simple scan and delete will clean things up, other times, its a matter of recover/save what you can from the pc and format/reinstall everything (and yes that could mean saying goodbye to important documents or a long downtime). On top of everything else keep in mind that hiring someone like me to clean up your pc could cost $100 / HR or more, and in some cases it may be more cost effective to buy a new pc.

     So where do we start, we start at a couple of common things that are DO’s and DONT

1) If your on any website and see a messages like the following

AV system pro spyware 1    Personal AV fake install message

DO NOT CLICK ON YES OR OK, it is a trick used by the writer of the virus or malware (known as social engineering) to get you to install the malware or virus.  Since the message will probably pop up as part of the page your on, you may just think that its a natural part of Windows and agree to it, at least that’s what the bad guy hopes you will believe. 

Additionally, when online, DO READ WHAT THE POP MESSAGES SAY AND DONT JUST CLICK ON THEM TO GET THEM OUT OF YOUR WAY. ADDITIONALLY DONT BELIEVE EVERYTHING THAT POPS UP (I know this is a hard concept for most). The following are just some of the MILLIONS of possible messages that you could see

ConfickerFakeAVpop up message virus

Virus popup2 Virus popup1virus2windows-security-center-popup    

     Now lets talk about how these happen, they can happen because the website your visiting has been infected by a virus.  These days its not just pc’s that get infected it can also be websites both minor and major (Scareware Pop-Ups Target Google, New York Times (http://www NULL.waco NULL.bbb NULL.org/article/scareware-pop-ups-target-google-new-york-times-13118)), so DONT think that because the only sites you visit are major sites (Google, NY Times, Twitter, Facebook, etc) that your entirely safe.  You MUST always stay alert. 

What if you machine is under attack from a Virus or Malware

     Take immediate action as soon as the message or popup comes up. The majority of viruses and malware is written in such a way that not only will your machine get infected, but the infection will go out to the internet (completely automatically) and download additional files and infections to reinforce itself. So the longer you take to address the issue the harder (and probably more expensive) it will be to clean your machine.  Image your self getting the flu, you take care of yourself and in a few days your body recovers and everything is normal again. However, if you get the flu and ignore it and just let it continue without doing anything about it, you could get sick enough to end up in a hospital or even dead. (Sorry to make it so over dramatic, but really that’s what it boils down to).

     As soon as you receive a one of these type of scareware/malware/virus pop up windows, you need to use the task manager to close whatever program your using to get to the internet (You should NEVER try and close the program with the ok or cancel button on the program as all the buttons no matter what they say will download unwanted files on to your pc). You can access the task manager 1 of 2 ways

Task Manager via Ctrl Alt Del key

ctrl_alt_del Hold down ctrl, alt, and delete at the same time.
XP ctrl alt del If your on WindowsXP you will see this box. Just select task manager. Ctrl alt del windows 7 If your on Windows Vista or 7, then you will see this window. Select Start Task Manager from here.

 Task Manager via Right Click

TaskManager

 Use an empty space on the task menu (that’s the bar on the bottom where you see your programs) right click, you will see Task Manager as a choice. Select Task Manager from there.

     Once you have opened the Task Manager, you will see the following window.

antivirus2009     From the applications tab you will see all programs that are currently running.  You should highlight any program that is connected to the internet (Internet Explorer, Firefox, Chrome, etc and Anything email) and select End Task. You will be prompted with end program

and select End Now. Continue doing that until you remove everything that is connected to the internet.

empty task manager 

Once you have closed the Window – what next?

     This may take a little time, but its best to check you pc and make sure nothing stayed on it that shouldn’t be there.  There are 4 things you need to do at this point. 

Step#1 -

If you use Internet Explorer

     Go to Tools –> Internet Options –>  select delete in the browser history section and delete all

Internet options IE

If your using Firefox

     Go to Tools –> Options –> Privacy and select clear your recent history and remove individual cookies ( you may need to change the setting to remember history to get to the settings)

FF cacheIf you use any other browser look for the area to remove, cache, temp or cookies and remove all. 

***Also make sure you empty your recycling bin.***

Step# 2-

     If you don’t already have a copy on your pc, download Super Antispyware (LINK: http://superantispyware.com/ (http://superantispyware NULL.com/)) and install Super Antispyware. **There is a Free and Pro edition, all you will need is the free edition.**

- During the install you will see the following screens. Make sure you say YES to “Would you like Super Antispyware to check for the latest updates….” then select the default or recommended setting for the remaining screens. On the screen asking for email address you do NOT have to enter anything, you can just select the next button.

superantispyware update

image image image image 

     Once installed you will see the following screen, just make sure that the definition date (on the bottom right) is current (shouldn’t be more than a day or two old, if not click on check for updates) then select scan your computer (on top left)

image You will then see

superantispyware full At which point, select all your hard drives and select “Perform complete scan” and hit next.

Once the scan completes,

image You will see the list of items found.  I would recommend that all shown items remain with checks and then select next.

imageThe lastly once the clean up completes. You will be prompted to reboot.  I recommend you close anything that is still open and select yes to reboot.

 Step# 3

If you don’t already have Malwarebytes, download and install (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)). **There is both a free and paid version, home users just need to get the free version.

  – During the install you will see the following screens, you can select the default choices. Toward the end of the install you will see a choice for “Update Malwarebytes Anti-Malware” make sure you have a check next to that choice.

image image image image image image image image     image

As soon as it is installed, you will see the following screen.  Make sure to select “Perform full scan” and select all your drives and run your scan.

image

Once completed you will see a list of all items found.  Select all and remove.  Then reboot pc. 

Step# 4

     Lastly, whatever Anti-virus you have, make sure you update it to the latest updates or signature file (depending on which one you have) and run a full scan of all your drives.  If it finds anything select removal and then reboot. 

     If you don’t have an Anti-Virus program or yours is expired, TGM recommends Microsoft Security Essentials which is free. (LINK: http://www.microsoft.com/Security_Essentials/ (http://www NULL.microsoft NULL.com/Security_Essentials/) )

     I know this was a long post, but the steps listed above would be exactly the steps I would take if you called me (and probably most other techs) to take care of your pc.  Hopefully this information helps you stay informed and helps you save a headache and some money in the future.