After a Malware infection.

This Malware thing is becoming such a common issue that its driving me up the wall (In My opinion). I’ve been ask by many customers if its just tech’s creating these malware infections for job security. Let me tell you that I can promise you no tech worth his knowledge wants this kind of job security. (End of my Soapbox)

So what do you do with your computer to give you a fighting chance? Here is what you should do

Now that your pc is not infected

1 – Verify that you have “Fairly recent”* version of antivirus software installed, and that the AV software at is installed is running the latest Definitions possible.

a – *What do I mean by fairly recent, if you find your antivirus software and it says anything less than 2009 in the name (as in Norton 2005, McAfee 2003, etc.) then its to old. Antivirus software that old will just not have the information needed to keep up with the ever changing landscape

b – If its older than 2009, then I recommend just uninstalling it, and downloading a free Antivirus offering. (See the next answer for recommendation)

c – What if you find that you don’t even have antivirus installed or that the one you have is old. I recommend visiting www.ninite.com (http://www NULL.ninite NULL.com). There you will find a selection of Free Up to Date antivirus offerings. There are a couple of offerings, I would recommend MSE (Microsoft Security Essentials), but you would not do bad with any of the ones listed. Its at least better than the situation you were in. All you need to do is put a check next to one you select, then at the bottom select “Get Installer”, and hit run when prompted. It should download and install it for you.

**Remember to uninstall any old antivirus before installing its replacement, as pc’s don’t like to have 2 AV software running at the same time.

2 – Now that we have the AV situation address, you now need to add 2 pieces of free software to your install. It is hoped that you never need to use them but it makes life much easier if you install them now, before you get infected. (Think about it like car insurance, you don’t want to try and get the insurance after crash, same thing applies here for the software).

a – Go back to www.ninite.com (http://www NULL.ninite NULL.com) and select Malwarebytes and SuperAntiSpyware. Click on the “Get Installer” button at the bottom and then click run when prompted. That should install both.

b – Once installed you want to open each of the 2 programs you just installed at least once to make sure they installed correctly, and also to update the programs to the latest definition files. You should also run a full scan with each of the 2 programs on all hard drives. To make sure that nothing is hiding in your system.

c – If either Malwarebytes or SuperAntiSpyware finds anything during its scans it will tell you at the end and very simply help you clean up your pc. (Just select the infected files found and select remove infected)

3 - Lastly, go back to www.ninite.com (http://www NULL.ninite NULL.com) , and select the following files

QuickTime
Flash
Flash (IE)
Java
.NET
Silverlight
Air
Adobe Reader

These are all programs that most average users have installed, and vulnerabilities in old versions of these programs are some of the most common ways that many of the bad guys use to infect pc’s. Once you have all of these selected, click on “Get Installer” and then click on run when prompted.

You may notice that I list www.ninite.com (http://www NULL.ninite NULL.com) a lot in the options above. Just to make it clear, Tech Geek and More has no direct or indirect participation with ninite. Ninite is just a TGM recommended site, because they make updates simple, opposed to having to visit multiple sites to get the the updates accomplished. In addition, TGM appreciates the fact that when you install these programs via Ninite, they do not install Toolbars, or other junk that drives all Techs crazy (as we have to constantly uninstall Junk).

What to do once you do get infected

Unfortunately, even with taking every precaution imaginable its still possible to get infected. At the point of being infect here is what you need to do

1 – DON’T PANIC! (Seriously, if you panic you will not remember to follow the following steps and will probably make things worse)

2 – Immediately shut down the pc.

a – Try to do it by clicking on Start – Shutdown – Shutdown on the screen and if that doesn’t work, then just hold the power button on the pc until the pc powers off.

3 – Once the pc is off, power it back on and as soon as pc starts to boot press F8 over and over, until you get to the safe mode screen choices, use the up/down arrow to select safe mode with networking and hit enter

**Keep in mind that in safe mode your pc will look a little “odd”, that is normal.**

4 – Once you get into your pc, Go to start –> settings –> control panel –> and click on internet options –> then go to connections tab –> and click on LAN settings (toward bottom) and make sure nothing in that window is checked, if it is uncheck it, then click ok

5 – At this point if you have not installed SuperAntiSpyware or Malwarebytes, go to Step#2 under “Now that your pc is not infected” (above) and follow those steps to install both programs.

6 – Once installed, start by running SuperAntispyware, and when prompted select yes to update definition files. Once definitions are updated, run a Full Scan on all your Hard Drives (That would be any drive that doesn’t hold a CD or DVD).

The scan will probably take 1 hour on most average sized drives (Average = 320 gig drives). Once scan is completed, select all files that show infected and then click on remove select. That covers part of the process. Now to the next part.

DO NOT REBOOT IF PROMPTED

7 – Now start Malwarebytes, and when prompted say yes to updating the definition file.

8 – Once updated, select Perform full scan and hit select

You will then be asked to select your drives, select all drives that don’t use CD or DVD and press Scan

IF PROMPTED AGAIN –> DO NOT REBOOT
9 – Now in Windows –> Go to start –> run –> and type msconfig
a – This opens the msconfig window. Under the start up tab –> Uncheck all items listed. (DO NOT touch any of the other tabs) and click ok.

IF PROMPTED TO REBOOT –> AGAIN SAY NO

There is 1 more step.
10 – Open up My computer and go to –> c:\ drive –> windows folder –> system32 folder –> drivers folder –> etc. folder and in that location find a file called hosts and double click it, when prompted select to open with notepad.

Once the file opens look for the following line “# 127.0.0.1 localhost”

As shown in the example anything below the 1st 127.0.0.1 needs to be deleted. Then save your changes by clicking on File –> Save.

Once you have done all this reboot.

After the clean up in safe mode

After the clean up in safe mode, and the reboot, there are still a couple of things you need to do.

1 – You will need to reinstall your Antivirus product. If you were infected, there is a chance that your AV product is compromised, if nothing else, it just makes sure its complete or gives you a choice to pick a new AV package. This is especially important if your AV software is a few years old. Make sure to uninstall then reinstall.

2 – Using the Step#3 in the “Now that your pc is not infected” section. Make sure you update the programs listed in that section.

With that you should be back up and running.

Alerta: Mensaje en Espanol de correo electrónico que es un Virus de computadora.

Desde el inicio de la TechGeekandMore, uno de los ejes más grandes ha involucrado virus de computadors (que se llaman Rogueware o Malware). Rogueware y malware pueden infectar un pc a través de diversas maneras (visitar sitios del Web, haga clic en vínculos, a través de correos electrónicos, o mas….). Hasta ahora, todas las advertencias de correo electrónico cubierto correos electrónicos en inglés, porque eso es lo que se sabia que existia. Sin embargo por ahora puedo informar oficialmente que los correos electrónicos son ahora multi-lenguaje. Esta noche he recibido un correo electrónico (que me mando un miembro de familia) que dice "Amix, esto tienes probarlo".

La versión en inglés del correo electrónico se a visto por un tiempo, "Cheques para ver quien te está bloqueando en MSN". El gancho del ser que si puede clic en el enlace proporcionado en el correo electrónico, que podrá ver (supuestamente) que ha le bloqueado de su lista de MSN Messenger. Como se señaló mirando el origen del correo electrónico (abajo), es casi una traducción exacta de la versión en inglés, afirmando que si se mira el enlace usted será capaz de ver que está bloqueando le (bloquear las direcciones de internet dentro de la fuente del correo electrónico)

Lo que realmente hace el vínculo es instalar una versión de Antivirus2009 (o 2010) que produce una gran cantidad de dolores de cabeza para el usuario y normalmente requiere un tecnología para limpiar o reinstalar el equipo. Si tienes amigos ni familia de habla española, le recomendamos encarecidamente que Hágales saber no se van a abrir este correo electrónico y a sólo la lista como correo no deseado y elimínelo. Si ya han abierto el correo electrónico, pueden utilizar programas como la versión gratuita de SuperAntiSpyware (LINK: http://www.superantispyware.com/superantispywarefreevspro.html (http://www NULL.superantispyware NULL.com/superantispywarefreevspro NULL.html) ) o la versión gratuita de Panda (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)).

Alert: Malware emails are not just in English – They also exist in Spanish.

Since the start of TechGeekandMore one of the biggest focuses has involved Malware and Rogueware. Malware and Rogueware can infect a pc via various ways (visiting websites, clicking on links, via emails, etc….). Until now, all the email warnings covered English language emails, because that’s what was known to exist. However as of now I can officially report that those emails are now multi-language. This evening I received an email (from a Spanish speaking family member) that says “Amix, esto tienes que probarlo”, which loosely translates to “Buddy, You have to check this out”.

The English version of the email has been a regular for a while, “Checking to see who is blocking you on messenger”. The hook being that if you click on the provided link in the email, that you will be able to see (supposedly) who has you blocked from their MSN Messenger list. As noted while looking at the email source (below), it is almost an exact translation of the English version, claiming that if you look at the link you will be able to see who is blocking you (I did block the internet addresses within the source of the email)

What the link actually does is install a version of Antivirus2009 (or 2010) which causes a lot of headaches for the user and normally requires a tech to clean up or reinstall your computer. If you have any Spanish speaking family or friends, we highly recommend that you let them know NOT to open this email, and to just list it as junk mail and delete it. If they have already opened the email, they can use programs like the free version of SuperAntiSpyware (LINK: http://www.superantispyware.com/superantispywarefreevspro.html (http://www NULL.superantispyware NULL.com/superantispywarefreevspro NULL.html)) or the free version of Malwarebytes (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)).

How to: What to do if you get a virus or malware via a pop up message

There have been many posts on TechGeekandMore concerning viruses, spyware, malware, and scareware. If you wonder why, its because as a tech, the number one question and the number one support call that I will take involves pc’s that have already been infected (because the user didn’t know any better) and what to do to clean up the pc.

Sometimes the infection isn’t really bad and a simple scan and delete will clean things up, other times, its a matter of recover/save what you can from the pc and format/reinstall everything (and yes that could mean saying goodbye to important documents or a long downtime). On top of everything else keep in mind that hiring someone like me to clean up your pc could cost $100 / HR or more, and in some cases it may be more cost effective to buy a new pc.

So where do we start, we start at a couple of common things that are DO’s and DONT

1) If your on any website and see a messages like the following

DO NOT CLICK ON YES OR OK, it is a trick used by the writer of the virus or malware (known as social engineering) to get you to install the malware or virus. Since the message will probably pop up as part of the page your on, you may just think that its a natural part of Windows and agree to it, at least that’s what the bad guy hopes you will believe.

Additionally, when online, DO READ WHAT THE POP MESSAGES SAY AND DONT JUST CLICK ON THEM TO GET THEM OUT OF YOUR WAY. ADDITIONALLY DONT BELIEVE EVERYTHING THAT POPS UP (I know this is a hard concept for most). The following are just some of the MILLIONS of possible messages that you could see

Now lets talk about how these happen, they can happen because the website your visiting has been infected by a virus. These days its not just pc’s that get infected it can also be websites both minor and major (Scareware Pop-Ups Target Google, New York Times (http://www NULL.waco NULL.bbb NULL.org/article/scareware-pop-ups-target-google-new-york-times-13118)), so DONT think that because the only sites you visit are major sites (Google, NY Times, Twitter, Facebook, etc) that your entirely safe. You MUST always stay alert.

What if you machine is under attack from a Virus or Malware

Take immediate action as soon as the message or popup comes up. The majority of viruses and malware is written in such a way that not only will your machine get infected, but the infection will go out to the internet (completely automatically) and download additional files and infections to reinforce itself. So the longer you take to address the issue the harder (and probably more expensive) it will be to clean your machine. Image your self getting the flu, you take care of yourself and in a few days your body recovers and everything is normal again. However, if you get the flu and ignore it and just let it continue without doing anything about it, you could get sick enough to end up in a hospital or even dead. (Sorry to make it so over dramatic, but really that’s what it boils down to).

As soon as you receive a one of these type of scareware/malware/virus pop up windows, you need to use the task manager to close whatever program your using to get to the internet (You should NEVER try and close the program with the ok or cancel button on the program as all the buttons no matter what they say will download unwanted files on to your pc). You can access the task manager 1 of 2 ways

Task Manager via Ctrl Alt Del key

Hold down ctrl, alt, and delete at the same time.

If your on WindowsXP you will see this box. Just select task manager.

If your on Windows Vista or 7, then you will see this window. Select Start Task Manager from here.

Task Manager via Right Click

Use an empty space on the task menu (that’s the bar on the bottom where you see your programs) right click, you will see Task Manager as a choice. Select Task Manager from there.

Once you have opened the Task Manager, you will see the following window.

From the applications tab you will see all programs that are currently running. You should highlight any program that is connected to the internet (Internet Explorer, Firefox, Chrome, etc and Anything email) and select End Task. You will be prompted with

and select End Now. Continue doing that until you remove everything that is connected to the internet.

Once you have closed the Window – what next?

This may take a little time, but its best to check you pc and make sure nothing stayed on it that shouldn’t be there. There are 4 things you need to do at this point.

Step#1 -

If you use Internet Explorer

Go to Tools –> Internet Options –> select delete in the browser history section and delete all

If your using Firefox

Go to Tools –> Options –> Privacy and select clear your recent history and remove individual cookies ( you may need to change the setting to remember history to get to the settings)

If you use any other browser look for the area to remove, cache, temp or cookies and remove all.

***Also make sure you empty your recycling bin.***

Step# 2-

If you don’t already have a copy on your pc, download Super Antispyware (LINK: http://superantispyware.com/ (http://superantispyware NULL.com/)) and install Super Antispyware. **There is a Free and Pro edition, all you will need is the free edition.**

- During the install you will see the following screens. Make sure you say YES to “Would you like Super Antispyware to check for the latest updates….” then select the default or recommended setting for the remaining screens. On the screen asking for email address you do NOT have to enter anything, you can just select the next button.

Once installed you will see the following screen, just make sure that the definition date (on the bottom right) is current (shouldn’t be more than a day or two old, if not click on check for updates) then select scan your computer (on top left)

You will then see

At which point, select all your hard drives and select “Perform complete scan” and hit next.

Once the scan completes,

You will see the list of items found. I would recommend that all shown items remain with checks and then select next.

The lastly once the clean up completes. You will be prompted to reboot. I recommend you close anything that is still open and select yes to reboot.

Step# 3

If you don’t already have Malwarebytes, download and install (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)). **There is both a free and paid version, home users just need to get the free version.

– During the install you will see the following screens, you can select the default choices. Toward the end of the install you will see a choice for “Update Malwarebytes Anti-Malware” make sure you have a check next to that choice.

As soon as it is installed, you will see the following screen. Make sure to select “Perform full scan” and select all your drives and run your scan.

Once completed you will see a list of all items found. Select all and remove. Then reboot pc.

Step# 4

Lastly, whatever Anti-virus you have, make sure you update it to the latest updates or signature file (depending on which one you have) and run a full scan of all your drives. If it finds anything select removal and then reboot.

If you don’t have an Anti-Virus program or yours is expired, TGM recommends Microsoft Security Essentials which is free. (LINK: http://www.microsoft.com/Security_Essentials/ (http://www NULL.microsoft NULL.com/Security_Essentials/) )

I know this was a long post, but the steps listed above would be exactly the steps I would take if you called me (and probably most other techs) to take care of your pc. Hopefully this information helps you stay informed and helps you save a headache and some money in the future.

Tech Geek and More

Technology Explained for All

Category Archives: SuperAntispyware

Software: What to do Before / During / After a Malware infection.

Alerta: Mensaje en Espanol de correo electrónico que es un Virus de computadora.

Alert: Malware emails are not just in English – They also exist in Spanish.

How to: What to do if you get a virus or malware via a pop up message