Posted on Thu, May 19, 2011
Although I don't normally focus on malware removal, this particular malware has been coming around a lot lately. Several customers have asked me about it, as it's quite convincing.
Ever since Windows XP Service Pack 2, security measures in Windows have become much more visible. Users are now used to seeing pop-ups and other notifications from Windows when their system may be at risk or is infected with something. Unfortunately, virus and trojan writers have jumped on this opportunity, creating malware programs which try to look like they are actually security components of Windows.
The scenario goes something like this:
1) User becomes infected with malware.
2) The malware begins popping up fake notifications warning that the user's system is infected, usually claiming many, many different viruses and trojans.
3) These fake security messages usually indicate that all the bad programs can be removed, if the user is willing to buy the "full version" of the software.
Essentially, these programs are a big money scam. They sneak onto the user's computer, then claim to detect hundreds and hundreds of viruses, which the software can remove if the user is willing to pay. Of course, if the user does pay, the program simply removes itself, which was the whole problem to begin with!
Usually, these programs are easy to spot, because there are clear typos or nonsense English in the messages that tip users off that something is not right. However, the newest of these I've seen, called "Internet Security 2011", is very good at looking like a real part of Windows. Thankfully, many users know better than to spend money on software before consulting with their IT help, which gives us a chance to get onto the system and remove the root of the problem.
The process for removal is actually quite simple, but should only be done by a qualified IT person as the programs used can cause serious damage to your system if not used correctly. The simplest process for removal involves running ComboFix, which essentially removes all traces of the rogue malware. I think typically it will install and run the latest version of Malware Bytes, just to ensure the system is completely clean. A very easy process, but a very nasty malware program nonetheless, simply due to its convincing nature.
Don't let yourself be tricked by malware writers into buying their supposed security products. If you're getting odd pop-ups or being told you need to "register" your software to be fully protected, Contact Us today to make sure you aren't being tricked and that your system really is fully secure.
Brian St. Marie - Sr. Systems Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
Posted on Wed, Apr 20, 2011
This week, I ran into a very intense virus called Windows Restore. It tries to make you think that there is a problem with everything from hardware to software applications on your PC. The reason it was so difficult to remove was the fact that it hides all your icons and stops your IE from being operational.
From past experiences, I know that it looks for certain software like Malwarebytes or ComboFix and disables them. If you do need anti-malware to run, your best bet is to rename it to something different like 123456. This will trick the virus and usually let you install your virus/malware removal programs. Below is a list of manual keys in the registry to look at when trying to remove this virus. Also, remember to go into folder options and show all files and folders.
Malicious Files Added by Windows Restore Virus :
%UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows restore.lnk
%AppData%\Microsoft\[random].exe
%UserProfile%\Desktop\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\
Windows Restore Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ‘0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policie \Associations “LowRiskFileTypes” = ‘{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1′
Dennis Foote – System Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
Posted on Fri, Dec 10, 2010
Computer Repair Boston
Downloading Viruses Can Change Your Registry
This week has been about Malware for me. I have spent some time with a customer’s computer that needed a good cleaning.
I started off by taking a look at the programs that were installed on the machine, and removing the likely candidates causing trouble. These usually include extra toolbars, downloaders, and in this case, a bunch of registry editors that were on there.
Once they were all removed, I used various tools for cleaning up the infections. I then moved on to cleaning up the registry. There are lots of tools out there for this, and that’s where the problems can start. People like to download them and just let them run. The registry is not a toy! If your registry gets hurt it can cause lots of issues for the computer.
Once the registry fixes were done I ran an exefix to get all the .exe’s running again. A quick driver and Windows update later and I was done!
A lot of these types of infections are preventable with a few easy steps: keep your antivirus up to date, be watchful of the websites you visit, and make sure you trust any software you install!
Kristen Hewes - Hardware Technician - Computer Repair Boston
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA