14 Free Tools To Use To Identify And Remove Tough Malware

The following tools have been specifically designed to help users better identify malware infections, and then eradicate those specific infections. These tools require advanced computer knowledge, and unless you feel confident in your diagnostic skills, you should avoid them.

Here’s a reasonable test to determine if you have the skills necessary to use these application effectively. If you’re not capable of using, and interpreting, an application such as HiJackThis for example, it is unlikely that using these applications will prove to be beneficial. On the other hand, if you can interpret the results of a  HiJackThis scan, you’re probably “good to go”.

Should you choose to add these applications to your antimalware toolbox, be aware that you will need the latest updated version for maximum efficiency.

Emsisoft HiJackFree

The program operates as a detailed system analysis tool that can help you in the detection and removal of Hijackers, Spyware, Adware, Trojans, Worms, and other malware. It doesn’t offer live protection but instead, it examines your system, determines if it’s been infected, and then allows you to wipe out the malware.

Runscanner

If you’re a malware hunter, and you’re in the market for a free system utility which will scan your system for running programs, autostart locations, drivers, services and hijack points, then Runscanner should make your shortlist. The developers of Runscanner describe this freeware utility as having been designed to “detect changes and misconfigurations in your system caused by spyware, viruses, or human error.”

HijackThis

HijackThis is a free utility which heuristically scans your computer to find settings that may have been changed by homepage hijackers, spyware, other malware, or even unwanted programs. In addition to this scan and remove capability HijackThis comes with several tools useful in manually removing malware from a computer.

The program doesn’t target specific programs, but instead it analyses registry and file settings, and then targets the methods used by cyber-crooks. After you scan your computer, HijackThis creates a report, and a log file (if you choose to do so), with the results of the scan.

RKill

RKill is a program developed at BleepingComputer.com – “It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.”

Emsisoft BlitzBlank

BlitzBlank is a tool for experienced users and all those who must deal with Malware on a daily basis. Malware infections are not always easy to clean up. In more and more cases it is almost impossible to delete a Malware file while Windows is running. BlitzBlank deletes files, Registry entries and drivers at boot time before Windows and all other programs are loaded.

McAfee Labs Stinger

Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

Specialty Removal Tools From BitDefender

Eight special removal tools including Conficker Removal Tool

Microsoft Malicious Software Removal Tool

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

NoVirusThanks

NoVirusThanks Malware Remover is an application designed to detect and remove specific malware, Trojans, worms and other malicious threats that can damage your computer. It can also detect and remove rogue security software, spyware and adware. This program is not an Antivirus and does not protect you in real time, but it can help you to detect and remove Trojans, spywares and rogue security software installed in your computer.

Norton Power Eraser

Symantec describes Norton Power Eraser in part, as a tool that “takes on difficult to detect crimeware known as scareware or rogueware. The Norton Power Eraser is specially designed to aggressively target and eliminate this type of crimeware and restore your PC back to health.”

Rootkit Tools:

If you think you might have hidden malware on your system, I recommend that you run multiple rootkit detectors. Much like anti-spyware programs, no one program catches everything.

Microsoft Rootkit Revealer

Microsoft Rootkit Revealer is an advanced root kit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. According to Microsoft, Rootkit Revealer successfully detects all persistent rootkits published at http://www.rootkit.com, including AFX, Vanquish and Hacker Defender.

IceSword

IceSword is a very powerful software application that will scan your computer for rootkits. It also displays hidden processes and resources on your system that you would be unlikely to find in any other Windows Explorer like program. Because of the amount of information presented in the application, please note that IceSword was designed for more advanced users.

GMER

This freeware tool is essentially a combination of Sysinternals’ Rootkit Revealer and Process Explorer. The program can list running processes, modules and Windows services, in addition to scanning for the presence of rootkits.

Tizer Rootkit Razor

Tizer Rootkit Razor, will allow you to identify and remove Rootkits from your computer. I should be clear however, this tool is not “one-click simple” to decipher, and users need to be particularly mindful of false positives.

This article was originally posted November 2, 2010.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

A Lesson In Malware Removal Using Kaspersky Rescue Disk

This past Sunday, I posted an article on the benefits of regular scanning with a “live CD” – Stay Malware Free (Hopefully!) – Scan With A “Live CD” Regularly. Which, reminded me of an excellent article (previously posted here), by my good buddy and fellow blogger, Mark Schneider, on working with Kaspersky Rescue Disk to eradicate malware.

There are some great pointers here, and I encourage you to re-read this terrific article. It’s well worth a re-read.

 

You find your computer getting slower and slower to boot, and when it finally does boot it’s so slow everything runs at a crawl. So you try running the antivirus you have and just get a message that says the definitions are out of date and you can’t connect to the update server.

Or you may find an annoying pop-up coming up every time you boot telling you PC Antivirus has found 70,278 infections and for $49.99 they will remove them for you. Well my friend, you are hosed! Your machine is so badly infected that you have to try desperate measures.

At this point you can try pulling your hard drive out of the machine and putting it in another mounting it as a slave, and using your other machine to try to clean it.

Another way to get this thing up and running is to try some kind of bootable rescue disk to clean it. Bootable rescue disks are bootable CD’s/DVD’s that contain small operating systems, with some preinstalled tools contained for repairing your computer.

When you turn on your computer hit F10 or F12, select your CD/DVD drive and your computer boots into an operating system contained on that CD. There are a lot of great rescue disks out there, the problem is most are very complicated, and some take forever to boot.

I found one great exception to this though. Kaspersky Labs, creator of the very capable Kaspersky Antivirus line of products has built a great free bootable rescue CD that is simple to use.

Unlike many other bootable rescue disks it has one purpose, to clean your system. To create a Kaspersky Rescue Disk, download the ISO image from this link , then burn the image to a CD.

Depending on what operating system you are using you may need to download a CD burning program if you don’t already have one. If you are running Windows 7 it has a built in, burning program that’s simple to use and works great. If you are running XP or Vista, I like Image Burn, or CD BurnerXP – both do a great job of burning .ISO images, and are free.

Once you have your rescue CD built, start your infected machine pushing F12/F10 to get it to the boot selection screen. Boot to the CD Rom drive as I stated earlier and relax, although faster than most rescue disks it’s hardly fast.

Follow the prompts and when it boots into the Kaspersky Rescue system you first need to update the virus definitions. Once updated do a scan, and go read the newspaper or get some coffee, it takes a while.

Once it completes the scan go ahead and let it remove or quarantine all the files it has found. I’ve never had it delete anything that caused the machine it was fixing not to boot. But of course before you do anything like this, BACK UP YOUR DATA!!!!! But you already did that so proceed.

Do the scan, remove the junk and log off Kaspersky. Just turning off your computer with the power button won’t hurt anything when you are running a rescue CD.

The reason rescue CD’s are so effective is, you’re not trying to disinfect a computer with an infected OS. When you boot to the hard drive of an infected machine, you’re playing on the bad guy’s home turf. They control the machine and in many cases they’ve hidden the infected files so your antivirus can’t see them.

There are other rescue disks out there and many are very complicated and take a very long time. The Kaspersky Rescue Disk is the fastest and easiest I’ve found to clean an infected machine enough to allow me to boot back into Windows and complete the process by adding my favorite automated antimalware tools to keep the system clean going forward.

Note: Kaspersky Rescue Disk 10 can be run from a USB device.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

Why not pay a visit to Mark’s site today.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Specialty Malware Removal Tools For Killing Tough Malware

Looking at recent estimates provided by a large number of Internet security providers, the consensus seems to be that there are over 20,000,000 malware programs currently circulating on the Internet. So, if you should become infected by malware, it might not be any consolation – but, rest assured; it can happen to any one of us. We are, after all, facing overwhelming odds.

Much of today’s malware can be extremely difficult to identify and remove –despite a user relying on frontline antimalware applications to do the job. If you’re struggling with the reality of this statement, take a look at “Testing of antiviruses for the treatment of active infections” from Anti-malware Test Lab.

The following tools have been specifically designed to help users better identify malware infections, and then eradicate those specific infections. These tools require advanced computer knowledge, and unless you feel confident in your diagnostic skills, you should avoid them.

Here’s a reasonable test to determine if you have the skills necessary to use these application effectively. If you’re not capable of using, and interpreting, an application such as HiJackThis for example, it is unlikely that using these applications will prove to be beneficial. On the other hand, if you can interpret the results of a  HiJackThis scan, you’re probably “good to go”.

Should you choose to add these applications to your antimalware toolbox, be aware that you will need the latest updated version for maximum efficiency.

A-squared HiJackFree

The program operates as a detailed system analysis tool that can help you in the detection and removal of Hijackers, Spyware, Adware, Trojans, Worms, and other malware. It doesn’t offer live protection but instead, it examines your system, determines if it’s been infected, and then allows you to wipe out the malware.

Runscanner

If you’re a malware hunter, and you’re in the market for a free system utility which will scan your system for running programs, autostart locations, drivers, services and hijack points, then Runscanner should make your shortlist. The developers of Runscanner describe this freeware utility as having been designed to “detect changes and misconfigurations in your system caused by spyware, viruses, or human error.”

HijackThis

HijackThis is a free utility which heuristically scans your computer to find settings that may have been changed by homepage hijackers, spyware, other malware, or even unwanted programs. In addition to this scan and remove capability HijackThis comes with several tools useful in manually removing malware from a computer.

The program doesn’t target specific programs, but instead it analyses registry and file settings, and then targets the methods used by cyber-crooks. After you scan your computer, HijackThis creates a report, and a log file (if you choose to do so), with the results of the scan.

RKill

RKill is a program developed at BleepingComputer.com – “It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.”

Emsisoft BlitzBlank

BlitzBlank is a tool for experienced users and all those who must deal with Malware on a daily basis. Malware infections are not always easy to clean up. In more and more cases it is almost impossible to delete a Malware file while Windows is running. BlitzBlank deletes files, Registry entries and drivers at boot time before Windows and all other programs are loaded.

McAfee Labs Stinger

Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

Specialty Removal Tools From BitDefender

Eight special removal tools including Conficker Removal Tool

Microsoft Malicious Software Removal Tool

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

NoVirusThanks

NoVirusThanks Malware Remover is an application designed to detect and remove specific malware, trojans, worms and other malicious threats that can damage your computer. It can also detect and remove rogue security software, spyware and adware. This program is not an Antivirus and does not protect you in real time, but it can help you to detect and remove trojans, spywares and rogue security software installed in your computer.

Norton Power Eraser

Symantec describes Norton Power Eraser in part, as a tool that “takes on difficult to detect crimeware known as scareware or rogueware. The Norton Power Eraser is specially designed to aggressively target and eliminate this type of crimeware and restore your PC back to health.”

Rootkit Tools:

If you think you might have hidden malware on your system, I recommend that you run multiple rootkit detectors. Much like anti-spyware programs, no one program catches everything.

Microsoft Rootkit Revealer

Microsoft Rootkit Revealer is an advanced root kit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. According to Microsoft, Rootkit Revealer successfully detects all persistent rootkits published at http://www.rootkit.com, including AFX, Vanquish and Hacker Defender.

IceSword

IceSword is a very powerful software application that will scan your computer for rootkits. It also displays hidden processes and resources on your system that you would be unlikely to find in any other Windows Explorer like program. Because of the amount of information presented in the application, please note that IceSword was designed for more advanced users.

GMER

This freeware tool is essentially a combination of Sysinternals’ Rootkit Revealer and Process Explorer. The program can list running processes, modules and Windows services, in addition to scanning for the presence of rootkits.

Tizer Rootkit Razor

Tizer Rootkit Razor, will allow you to identify and remove Rootkits from your computer. I should be clear however, this tool is not “one-click simple” to decipher, and users need to be particularly mindful of false positives.

Since the false positive issue, is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

2 Free Scareware (Rogue Software)Removal Tools – Norton Power Eraser and NoVirusThanks

I just took a second look at two free last resort malware removal tools, which I first looked at in June – Norton Power Eraser and NoVirusThanks. The developers of each tool makes reference to the fact that it is capable of detecting and removing Rogue Software, a scourge that currently infests the Internet.

The first tool – NoVirusThanks Malware Remover, (last updated August 23, 2010), according to the publisher, is “an application designed to detect and remove specific malware, Trojans, worms and other malicious threats that can damage your computer. It includes the ability to remove rogue software, spyware and adware.”

For a complex tool, the user interface is surprisingly simple, since it’s laid out in the familiar tabs and check boxes format, which makes it easy to follow.

Despite the publisher’s assertion that this tool “is very fast”, I didn’t find it particularly so. It took fully 15 minutes to complete the scan. Norton Power Eraser (described later), took less than 2 minutes.

On the plus side though, NoVirusThanks Malware Remover did not return any false positives, which is a bit unusual for an aggressive specialty tool. This can be very positive of course, for those users unused to running such a high powered tool.

Fast facts:

Accurate Disinfection Method
Remove Rogue Software and Unwanted Applications
Remove Trojans, Spyware and Worms
Quick Scan and Full Scan
Scan Processes
Scans Modules
Scans Registry
Backup Files and Folders
Easy to use

System requirements: Windows 7, Windows 2003, Windows 2000, Windows Vista, Windows XP

Download at: Novirusthanks.org

The second specialty malware removal tool I took a second look at, comes from a more familiar developer – Symantec, who’s free Norton Power Eraser, makes essentially the same claims as NoVirusThanks. Specifically, that it detects and removes scareware, or rogueware.

Symantec describes Norton Power Eraser in part, as a tool that “takes on difficult to detect crimeware known as scareware or rogueware. The Norton Power Eraser is specially designed to aggressively target and eliminate this type of crimeware and restore your PC back to health.”

Again, Norton Power Eraser’s user interface is simple, and easy to follow.

As opposed to NoVirusThanks, Norton did point out (for the second time), two issues that were in fact, false positives, as the following screen capture indicates.

Power Eraser, does offer the user additional information on suspicious files, so that the user can make a more accurate assessment as to the validity of the findings, as the following screen capture shows. You’ll note that in this case NoVirusThanks, is shown as a suspicious file.

It should be shown as a suspicious file, since its behavior replicates, in part, the familiar behavior of malware.

The second suspicious activity “advanced”, refers to my habit of hiding my Desktop icons, since I dislike that cluttered look. Besides which, on all my machines, my work applications are displayed in the Taskbar.

Note: According to Symantec – “You should use Power Eraser only when nothing else will remove the threat, and you are willing to accept the risk that the scanner may quarantine a legitimate program.”

System requirements: Windows 7, Windows Vista, Windows XP

Download at: Symantec

These tools require advanced computer knowledge, and unless you feel confident in your diagnostic skills, you should avoid them.

Should you choose to add these applications to your antimalware toolbox, be aware that you will need the latest updated version for maximum efficiency.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Scareware is Destroyware – Not Just Malware

Scareware is a particularly vicious form of malware, designed specifically to convince the victim to pay for the “full” version of an application in order to remove what are, in fact, false positives that these program are designed to display on the infected computer in various ways; fake scan results, pop-ups, and system tray notifications.

According to Panda Security, approximately 35 million computers are infected with scareware/rogueware each month (roughly 3.50 percent of all computers), and cybercriminals are earning more than $34 million monthly, through scareware attacks.

Delivery methods used by these parasites include Trojans, infected websites, misleading advertisements, and Internet Browser security holes. They can also be downloaded voluntarily, from rogue security software websites, and from “adult” websites. As one of my friends put it “It’s easy to be bitten by a dog like that”.

The average computer user that I speak with informally, has no idea that rogue applications exist. But they do, and cyber crooks are continuing to develop and distribute scareware at a furious pace; there are literally thousands of variants of this type of malware currently circulating on the Internet. It’s fair to say; distribution has now reached virtual epidemic proportions.

Having watched the development and deployment of scareware over the last few years, and having noted the increasing sophistication of the current crop of scareware applications, I have come to the realization that scareware removal instructions have limited value, except perhaps, for the most technically sophisticated computer user. A reformat and a system re-install, are more than likely in the cards.

Yes, I know, there are literally hundreds of sites that will walk you through the process of attempting to eliminate this type of scourge, but simply put – if your computer becomes infected with the current scareware circulating on the Internet, you are, in most cases, wasting your time attempting to save your system.

If you doubt this, take a look at Trojan War Resolution: The Battle Won, in which Larry Walsh of eWeek, describes a three day marathon system recovery attempt which was ultimately successful, but…..

The best advice? Have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage.

If you have become infected by scareware, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools, and advice, you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Consider the ramifications carefully before responding to a Windows Security Alert pop-up message. This is a favorite vehicle used by rogue security application to begin the process of infecting unwary users’ computers.

Be cautious in downloading freeware, or shareware programs. Spyware, including scareware, is occasionally concealed in these programs. Download freeware applications only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications, since exposure to rogue security applications is widespread.

Install an Internet Browser add-on such as WOT (Web of Trust), an Internet Explorer/FireFox add-on, that offers substantial protection against dangerous websites.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Another Day in the Trenches: Killing XP Antivirus 2010

Popular guest writer Mark Schneider, walks you through a computer recovery operation, following an infection by a rogue security program, XP Antivirus.

I hate rogue antivirus programs. They seem to be getting more numerous and harder to get rid of all the time. Case in point: At work, I noticed a shared computer suddenly popped up a Window announcing it was doing a scan, and that I was infected with over 4,000 Trojans and other forms of malware.

Nice try I thought, so I used Control Alt Delete to start task manager, and I closed Internet Explorer and all running processes involved. Fortunately, it was a limited user account that was infected, and that turned out to be a important factor in removing it.

I immediately ran Malwarebytes from that user and found a number of infections including the rogue antivirus product I was afflicted with. These cretins that come up with this crap can’t even come up with something creative – we’ve seen XP Antivirus for a few years now; each year they just tack on a year to make it look current.

Sad thing is, I’m sure somewhere out there is someone who renews this crap every year. Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee, but don’t get me started.

Well back to the task at hand: I rebooted the machine and logged into an administrator account, updated Malwarebytes and ran it again… and found more junk, actually the same junk. Malwarebytes found it, but could not kill it.

Next, I downloaded Superantispyware, a great application that I always run at home but it wasn’t on the work machine. The first thing I do now after I download a anti-malware application is rename the installer. I do this because I often find the malware knows how to prevent anti-malware from installing – these guys aren’t creative, but they’re getting smarter.

To rename a file, right click on the file and select rename and type anything.exe and install the program. Superantispyware did its thing and found a ton of additional files. I removed the infected files and rebooted again, and ran both my programs again. I still found junk!

I repeated the sequence two more times until nothing was found. I then ran a scan in all user accounts to confirm “the kill”. So far so good, until I went into the user account where the infection had started, now whenever I tried to launch any program from the desktop I’d get the “Choose what Program you want to use to Open this File” message. This means I had to fix file associations and a great site with XP file association fixes is here. I used the .exe file association fix and it worked great.

The last thing I did was to run Process Explorer, and Autoruns from Syinternals. These utilities give a great in-depth look at what is currently running and starting on your machine at boot-up. Finding nothing suspicious I deemed the computer clean, for now.

So a few lessons I learned on this one: Don’t use IE – this was caused by a flaw in Internet Explorer I believed it was just fixed this week. Second, running as a limited user is still far safer than running as an administrator, even though its trivial to elevate to administrator level, most malware seldom does, and this makes cleaning an infected PC much easier.

Next, running your cleanup tools multiple times and rebooting after each scan is the only way to give the anti-malware tools a chance against the bad guys.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

XP Antivirus 2010 is Back – Removal Instruction

Back in the day (the mid 1960’s), I heard an old time College Football coach (Darryl Royal, of the University of Texas Longhorns) say, in answer to a question concerning his plans for an upcoming game, “we’ll dance with who brung us”.

What he meant was, he would continue to go with the players, and plays, that had contributed to a winning season. Or, to put it more succinctly – success breeds success.

Cyber criminals, particularly those responsible for the rogue software/scareware application, XP Antivirus, have learned this lesson well. XP Antivirus is back, and is running rampant on the Internet at the moment; having morphed from previous versions we had to deal with in 2008, and 2009.

Of all the rogue security applications released to date, and there have been thousands of them, this particular one has been the most successful for the criminal developers.

I first wrote on this scourge in 2008, and in the interim period, that specific article has been read 130,000+times. In the last week or so, I was surprised to see this older article, suddenly jump to the top of the daily read chart.

This shift in popularity, coupled with a number of readers reporting having to deal with infections caused by XP Antivirus 2010, convinced me to cover the scareware issue once again.

Just like its predecessor, XP Antivirus 2010 installer can be found on adult websites, salacious news sites, or it can be installed manually from rogue security software websites.

After the installation of XP Antivirus 2010 be prepared for false positives; fake or false malware detection warnings. As with all rogue security applications, XP Antivirus 2010 was developed to mislead uninformed computer users’ into downloading and paying for the “full” version of this bogus software, based on the false malware positives generated by the application.

If the full program fee is not paid, XP Antivirus 2010 continues to run as a background process incessantly reporting those fake or false malware detection warnings. To really try your patience, this rogue security software cannot be uninstalled using the Windows Add/Remove Programs tool.

XP Antivirus 2010 Removal Instructions:

If you have become infected by XP Antivirus 2010, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security app

What can you do to ensure you are protected, or to reduce the chances you will become a victim?

Consider the ramifications carefully before responding to a Windows Security Alert pop-up message. This is a favorite vehicle used by rogue security application to begin the process of infecting unwary users’ computers.

Be cautious in downloading freeware, or shareware programs. Spyware, including scareware, is occasionally concealed in these programs. Download freeware applications only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications, since exposure to rogue security applications is widespread.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is WOT (Web of Trust), an Internet Explorer/FireFox add-on, that offers substantial protection against dangerous websites.

As a form of added protection, you should consider running in a virtual environment while connected to the Internet. To find out what this means to your overall security, and to download a free virtual software application, please read “Download Free Returnil Virtual System 2010 Home”, on this site.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Life in the Malware Trenches – Killing Worm.Win32.NetSky and Internet-Security 2010

Guest writer PJ Liberatore (aka as Cappydawg, to many of my fellow bloggers), takes you into the real world of virus removal, by relating her successful experience in removing Worm.Win32.NetSky, a component of the insidious scareware application, Internet Security 2010.

Recently, I had the experience of helping a co-worker with a virus on his Netbook.  He had mentioned to me, that his Netbook was popping up all kinds of strange messages, stating he was infected with numerous Trojans – so he was going to take it to the “geek people”.  I offered to take a look at it for him instead, and maybe save him some money.

When I turned on the Netbook, right away I noticed it took much too long to boot.  I made sure I had turned off the WIFI connection so that it wouldn’t go out to the net, and attempt to download more suspicious files. When it finally reached the desktop, it told me:

Security Warning! Worm.Win32.NetSky detected on your machine.

Immediately, another screen popped up listing more Trojans! This screen looked suspicious to me, since my co-worker had McAfee Antivirus installed and yet, the screen read “Internet Security 2010“.

At this point, I had 3 screens open, all of them warning me of these potential hazards on this Netbook.  One of these screens started up Internet Explorer (I wasn’t worried, since I had WIFI off), and I noticed the web address read: buyinternet-security 2010.com. I knew then, I had a bugger of a virus staring at me.

Before I show you how I got this cleared up, let me tell you a little bit about this virus.

Internet Security 2010 gets installed via malware, and will quickly setup to start every time Windows is booted.  It will also load a number of Trojans on your computer.  Once infected, the next time you boot up your computer you will be notified that you are infected with Worm.Win32.Netsky. This is exactly what happened on the computer I was trying to fix.

What makes the virus a real bugger is, it blocks certain applications and when that happens, you get the warning “File is infected”. It will then recommend that you activate your antivirus.

But it is really trying to get you to buy Internet Security 2010.  DON’T DO IT! Second, another Trojan that comes with this virus warns you to purchase a codec called, VSCoded Pro.  DON’T DO IT!  All this virus wants is your credit card number, and whoever is behind it, will have a field day with it.

Now that you have a little information about this virus, let me tell you what I did to remove it.

My first step was to research this on the internet using my own Laptop. I began my search with “buy internet security 2010.com”.  I choose a few articles from the results, and read through them to get some advice on squishing this bugger.

It recommended in the articles, that I download a program called Rkill.  Rkill is a small, freeware program, developed by Microsoft MVP, Lawrence Abrams, that helps stop malware processes; it’s also portable.

It’s available in four file formats; .exe, .com, .scr and .pif.  If you are wondering why four different formats, it’s because malware is getting smarter all the time – some malware can block the execution of an anti-malware tool executable file. For more information on this tool, check out Technibble’s write up.

I ran Rkill first, to stop the process of this virus. It took a while, but it did stop the process. I then pulled out my little USB tool drive, where I keep some of my favorite antispyware and malware tools, and downloaded the latest free versions of SuperAnti-spyware, and MalwareBytes Antimalware.

Next, I ran MalwareBytes in quick scan mode, and sure enough it found about 40 different Trojans. I cleared those, and then ran SuperAnti-Spyware in full scan mode.  It also found a few, so I proceeded with the removal process thru SuperAnti-Spyware. I then decided to run MalwareBytes again, but in full system scan, just to make sure nothing was missed in the quick scan. It found nothing.

Now feeling pretty confident that it was under control, I rebooted the machine. It booted quicker, and had no messages stating that Worm.Win32.NetSky was on the machine, or any other annoying pop ups. For added protection I ran Dr. Web Antivirus and it found nothing. One more re-boot, and all was good.

Since I was at it, I updated his antivirus definitions, and installed the free edition of SuperAntispyware.

It’s been 2 weeks now, and all is going well.

By doing a little research on the web, and taking it step by step, I was successful in removing this virus and, helped a co-worker save a little money.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Ghost Antivirus, TwittWorm.A, Sinowal.WTF – Panda Security Takes a Look

Courtesy of Panda Security: This week’s PandaLabs report looks at a worm, a Trojan and a new fake antivirus.

Further on in this article, you’ll find instructions for removing Ghost Antivirus.

TwittWorm.A:

TwittWorm.A is a worm that uses Twitter and Messenger in order to spread, sending a malicious message to all contacts of the infected user.

These messages appeal to the curiosity of users, with subjects such as “I just got a piercing and you’ll never guess where! Take a look at the photo. 😉  ” or “You’re going to be mad at me for sending you this photo, but you NEED to see it :3”.

The worm edits the registry so the system cannot be restored or started in safe mode. It also makes a series of changes to the host file to prevent users from accessing certain Web pages, particularly those related to antivirus companies.

Another feature is; it prevents the running of certain programs for viewing active processes, or monitoring network traffic. Twittworm.A also spreads through USB devices, creating an autorun.inf to automatically infect computers on connection. To protect these types of devices, Panda Security has launched Panda USB Vaccine, which can be downloaded free.

Sinowal.WTF:

Sinowal.WTF is a keylogger Trojan, designed to capture keystrokes with an aim to stealing passwords and other information from infected systems. This Trojan reaches computers through an email claiming to have been sent from MySpace.

The message warns victims about a change to the user’s password and contains a .zip file attachment which supposedly contains the new password. The attached file, once extracted, has an Excel icon, but is really malware. When run, the system is infected and the icon disappears.

Ghost Antivirus:

Ghost Antivirus is a new strain of fake antivirus. As with other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist.

If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction.

This way, as well as obtaining money for a service that will never be provided,
cyber-crooks steal users’ credit card details.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

The computer security software industry has formed an organization called the Common Computing Security Standards Forum, to combat the rise of Rogue Anti-Virus. Among other things, it publishes a list of legitimate Computer Security Software Companies.

The following free resources, can provide tools and the advice you will need to attempt removal of Ghost Antivirus .

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue, or malicious, software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable, or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Live Pc Care, Desktop Defender 2010, APcDefender Fake Antiviruses – Panda Security Takes a Look

Courtesy of Panda Security: This week’s PandaLabs report looks at three fake antiviruses: Live PC Care, Desktop Defender 2010 and APcDefender.

Live PC Care:

As usual with these malicious codes, first it carries out a fake scan of the infected user’s computer, and then claims the system is infected. It asks the user to purchase a license (of a fake antivirus), at a very attractive price to resolve this issue.

If users purchase it, they will have paid for fraudulent software. This fake antivirus stands out because of the way it spreads, as it uses Black Hat SEO techniques, exploiting the launch of Google’s Nexus One phone, and the Haiti earthquake. Thanks to these techniques, it manages to include malicious malware-downloading links in search engines’ top results.

Desktop Defender 2010:

Desktop Defender 2010 also makes users believe their computers are
infected, and prompts users to purchase the product.

APcDefender:

Finally, APcDefender uses the same techniques. It is a fake antivirus program that falsely informs users they have dangerous software on their computer.

It tries to fool users by offering them its own anti-malware solution to solve the
problems it claims to have detected, and invites them to purchase the software using their credit cards.  This way, in addition to stealing users’ money, it also obtains their credit card details.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

The computer security software industry has formed an organization called the Common Computing Security Standards Forum, to combat the rise of Rogue Anti-Virus. Among other things, it publishes a list of legitimate Computer Security Software Companies.

The following free resources can provide tools and the advice you will need to attempt removal of these parasites.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue, or malicious, software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable, or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.