Malware Minute: Malware Now Imitates PC Utilities
December 21, 2010 by The Pit Crew in Malware Minute
About The Pit Crew
PC Pitstop's Pit Crew is committed to providing you with the information you need to keep your PC running like new.
Loading ...
Rob Cheng
Steve Hogan
Lyle Schuknecht
Steve Bass
Harry McCracken
Chris Pirillo
Bill Pytlovany
John Dodge
Leo Notenboom
Bob Rankin
Windows Secrets
GFI VIPRE
Windows Talk
Powerpoint Tips
Techlicious
Make Tech Easier
Dave's Computer Tips
Burn World
Excel Tips
Windows Observer
Ask Dave Taylor
Word Tips
Tips4PC
Windows Club
Windows Guides
PCTechBytes
Everything Microsoft
Terry Stockdale
I have been jumping thru hoops with this one. Wish I had read this thread before now. Infection finally gone with Microsoft’s help, but I have Active X problems and need the OS CD, which I don’t have, to fix the issue. Also , can’t update OS , XP Pro, thru the regular channels. I have to go to update.microsoft.com to do it.
Any help with the Active X would be greatly appreciated.
I was able to fix this “hijacking” by logging onto the PC under another profile and modifying my startup programs. These had been changed by the malware. It was not A VIRUS. The malware program had been installed under the other profile in the documents folder. Once I got this startup changed, I was good to go. You might also be able to do this under the “hijacked” profile, but you have to be very, very quick; must modify the sytartup before the program activates.
We see this virus everyday in our repair shop. Best method of prevention is to not click any links from emails or facebook as this is where most these malwares originate! Best way to remove is to boot into Safe Mode (turn computer on, tap F8 until menu shows and select Safe Mode with Networking). Download malwarebytes and ensure its updated to the latest virus defs then perform a FULL system scan. On completion, visit Trend Micro and run Housecall online anti-virus scanner and also perform a FULL scan to ensure everything is ok.
3Weeks ago my computer was hit with a virus, it all happen when I get an alert from Microsoft, thinking that it was really Microsoft sending this with all the Microsoft logos looking genuine, so I click on it and was redirected to a fake page advising me to scan my computer with an online scanner, what happen to me was a rogue ware installed on my PC, this rogue antivirus application block the access to get to my computer desktop,”someone told me that every time I restarted my computer the fake software get deeper into my system”
I was also urged to pay money to clean the system.I boot-up into safe mode and use my Avast antivirus to do a boot up scan, and it found ” fake alert Trojan & malware Tinkpoint.” I tried malwarebytes that didn’t help, I had to reinstall my windows 7 ultimate..I learned a lesson the hard way.
Just to add to what a few others have stated about Malwarebytes, if you get the paid version – it has “active protection” which catches in real time – anything that the free version finds during scans. Much better to spend the money up front than the time and effort later on – in my humble opinion.
I also disagree with Lucid Dreamer. A backup drive ready to install is overkill. But everyone should have a backup drive (via E-SATA or USB) and backup their prescious documents there. Then use your favorite imaging software (I’m an Acronis True Image fan myself) and keep an backup image of your drive there too. It takes me all of an hour to reload my OS, and a few hours to copy the 2TB of data back.
Look at the up side. If not for the !@#$%Q!
responsible for screwing up your puter, you might not be as savvy or proficient due to the “forced schooling” these nuisances demand.
Everyone should have a back up drive (updated monthly) ready to install and important stuff backed up on an external drive. Cloning a drive isn’t difficult and allows you to avoid time consuming updates, software installs and preferences/settings.
This type of crap has been around for years. It’s not new at all.
That is all. =]
I got system tools 2011 malware, i took my harddrive out inserted into a external case and deleted the files, and turned off system restore to delete any files that could be in there. And the restarted the puter and turned system restore back on.
My puter still lages and thinking of reinstalling windows.
I saw someone mention vipre antivirus. It isn’t very good. I replaced it with kaspersky, which is much better. I still use malwarebytes antimalware for scans, though. I have cleaned a lot of these viruses off of people’s computers. They are a pain if it is well embedded. And I recommend not shutting down a computer until this is removed.
I was told or read somewhere that you should not be running your computer as an Administrator. If you run as an administrator you run the risk of unwanted programs installing on your computer. Running without Administrator rights prevent these viruses from taking over your computer.
At the risk of “Plugging” a utility I recommend “Comodo Firewall+Defence” as a useful tool to combat that sneaky Popup that literally locks your computer! and prevents you seeking help! ……. go to Comodo in startup bar and open to Defence and select “Running Processes” scrole to the Process running the Popup! .. your browser and right click and select “Terminate” .. end of problem! …………….
I have had a few of these pop-ups appear on my computer while browsing, each informing me that my C: Drive was infected. The only problem with that is I run Linux instead of Windows, and there is no “C: Drive”
And the best part is: Windows executables (.exe) don’t run in linux, so my system doesn’t get infected by them. But just last week, I had to scan the systems of 3 friends who came across the same pop-ups and got their Windows systems infected. Windows makes it too.
As a qualified IT technician I spend a lot of time removing these things and have devised a fool proof method for their removal. The most important tool I use is Hirens disk this comes with a cut down version of XP which is bootable directly from CD/DVD and as this operating system is kept in RAM and doesnt use any files on the hard disk you know it is free from nasties. I then Use Hirens to install Malwarebytes & SuperAntiSpyware to this MiniXP and then get all the updates for these and scan the system with both of them. It takes anything up to 24 hours work to completely remove these malware and that is why professionals like myself cannot stress enough the importance of firstly a good Internet Security Suite (I use Comodo) and secondly a good backup program. Whenever I clean someones computer I always recommend they buy Acronis True Image Home and then make a recovery partition so if they get infected again it is a simple matter to revert their system back to a non infected state.
I’ve already had issues with this malware…went onto a site I use frequently and up this popped. Luckily I recognised it for the potential nusiance it was. I closed the browser with little trouble and then set Avira after it. I have booted up since then with no problems.
Personally, if you see anything stating you have issues, virus etc…close all browsers straight away…and fully scan/defrag/clean your system. It should save problems developing down the line.
One disturbing thing I saw a lot of people posting here, was to use System Restore. In my experience, this is also one of the worst things to do. I have seen many bugs of all kinds, which “just keep coming back”, no matter what antivirus programs are used to remove them. Where were they hiding? In the System Restore, which Windows doesn’t like letting other people into. My first step when cleaning a computer (especially Windows XP) is to disable System Restore, which wipes all restore points (and any nasties which have backed themselves up into the restore points). And yes, my toolkit usually starts with MalwareBytes, SUPERantispyware & Spybot Search & Destroy
For general Windows problems, yes, use System Restore. It generally works great. For viruses? Heck no!
actually this particular malware was easily eliminated. My son used my desktop the night before. When I tried to use it that malware gave me a fit. In safe mode I found it in my users temp dir. It was a number.exe file. Something like 954467.exe. In safemode I deleted it and it was gone.
I sold a desktop to a coworker and he fell for the fake antivirus software, fixed with AV, my wife, however, fell for the facebook scam and then sent the laptop to a friend to fix it.
Manual registry deletions, remnants of the infection… when I got home eventually it led to a format of the hard drive and reinstall all programs and files as backups were overwritten by backups made after the infection, nice!
Never, ever , ever let someone fix your computer for you unless they are a profesional or will take full responsibility for their F*&^% ups.
Make back ups, but most importantly don’t let some schmo touch your backups, keep them locked up!
A year ago, I was talking to a owner of a computer store. I told him that I wish someone would do something about the mal and spyware coming out.
He said, “I am glad they don’t! I make a lot of money on cleaning this out of computers.”
Here is some of the problelm.
I don’t know if this will help, but I run Zone Alarm and when anything weird pops up I right click on the Zone icon and stop all internet activity and then do the task manager thing and stop iexplore. Avast also stops most trojans.
Unless I missed it, I didn’t see anyone use the magic fix. Whenever there is an ad letting the user think he is infected, the 1st thing the user does is hits the X in the upper right corner of the pop-up. Do they really think the X is from Microsoft? Like this would rid you of anything? Next time, simply hit Alt, F4 at the same time and it will USUALLY harmlessly disappeared. However, your security allowed it in, so get it updated. Using Malwarebytes, update it and run a scan. If you are also using Avast!, you will see that they work in pairs like well, like any 2 things that work in pairs, and Avast will catch all Trojans and Viruses, and Malwarebytes will catch all the spyware. If they want $29.95 to fix the virus they are about to drop on your computer, just stop for a second. Don’t panic and DON’T hit the X. Put your mouse pointer somewhere on the ad in a blank spot – DON’T click it – just put it there. Hit ALT, F4 and it should set your mind at ease. I always tell my wife to update Malwarebytes and run a scan just in case. It has not failed in several years. Hope this helps. When a customer drops off his computer for this “crash’, I do as a previous user mentioned – Pull the drive and connect it externally to my computer and run a scan. This doesn’t always work because you may remove a file necessary to boot Windows while cleaning the drive. So, I load a fresh drive with Windows and drag any important items Files, documents, photos, music, etc., from his old drive over to the new drive and they are back in business. Another tip – LEARN DOS. It is extremely valuable. Today, all people know is WINDOWS. Sorry, I can’t help you there. I’m sure there is a DOS for Dummies out there somewhere.
Chuck
I recommend you NOT use a USB drive for copying the programs from a clean PC to the infected, as the USB will get infected and you might spread it to a clean PC.
After cleaning your PC, it would be wise to turn OFF System Restore, reboot, and turn it back on. This deletes your old Restore files. System Restore files can get infected and can reinfect your PC.
System Restore takes your system back to an earlier state and may not fix the problem. It does not affect your personal (pics, etc.) files, but can require you to reinstall some programs installed between now and the restore point.
Repair, done with the OS CD/DVD (or an option when pressing F8 on bootup, for some machines) can fix damaged Windows files. Repair also does not lose personal files. Repair does not clean viruses.
Recovery, usually accessed from the boot screen or from inserting a Recovery CD/DVD (from the PC maker), will wipe the drive and restore it to the same state as when purchased. You must reinstall all programs, and you will LOSE ALL PERSONAL DATA. This is a last resort you want to use, but the FIRST thing your tech support (for your retail PC) will try. It is quick, thorough, and fixes any software issue, but it does not consider the Owner/User who will be losing all personal files.
Two products that are free (you can make a donation) that compliment your existing AntiVirus and Firewall are called Spyware Blaster and Spybot Search & Destroy. Highly rated and perennial power user favorites since they don’t slow your PC down — and are an additional layer of protection since they work differently. Everyone should have them. Both comapnies update them so evolving threats are dispensed with. And Malwarebytes is top notch and large AntiVirus software companies actually refer their customers to use it since it works and removes threats that escape stuff and/or your A/V has trouble removing. This one acts in yet a different way as well and it’s free (and complete AND won’t nag you with ads or appeals) but I opt for the full version that is very thrifty with added features. With these three your PC won’t be compromised by threats, spam or rootkits yet operate without slowing it down.
@Keith: Many legit sites (Facebook, Myspace, etc.) have had infected advertisements that try to install these programs. It is RARE that one needs to reinstall the OS to fix a problem.
@Everyone else…
If you suddenly have a window open that appears to be scanning your PC for problems, X out of the window and any Warning dialogs that result (they are fake warnings). It would help if you unplug the cable that gives you internet (phone or ethernet). I use MajorGeeks.Com to get all my free software. You need Malwarebytes, Avira or Avast, CCleaner, and RKILL. If you cannot get internet on the infected PC, burn these programs to a CD from a clean PC. RKILL will stop any processes that prevent installation of the other programs you need to install. Install, update, and run each of the above. If you have trouble installing or running the above, try SAFE MODE by tapping F8 key while starting the PC. Once in Safe Mode, run RKILL then the others. If your machine is so messed up that Safe Mode will not work. Remove the Hard Drive and install it as a second drive in a PC that has each of the programs above installed and updated. Scan the infected drive with Malewarebytes and Avira/Avast (CCleaner only works on the drive that boots up) and delete all malware found, repeating until clean. Put the drive back into the original machine, boot to Safe Mode and install/scan. Boot to Windows normally, and scan again. Keep your programs (and Windows) updated and schedule regular scans.
So far, in the several attacks that have overcome my computer’s protections, the first (and most important in my opinion) is when my browser automatically shuts down for no reason. I may or may not have noticed a weird URL pop-up or change just before it happens. As long as I immediately shut down my computer, I have been spared having to do a System Restore. However, that means I may have to do a hard shutdown (i.e., not waiting for Windows to shut down, but using either the power switch or the auto-reset button; both of which are much faster than a standard shutdown).
A similar one is one that pops up with running a virus/spyware scan. Follow the above steps.
Several times I was too long and got stuck with System Restores. The one I dislike the most (so far anyway) shows up with a Windows Security Window lookalike. It replaces your normal Security Window with its copy; disables Task Manager and making it almost impossible to get to a System Restore option; eventually your Internet access; and disassociates many of your normal file uses (.doc is no longer recognized as being a Word doc., etc.).Thankfully, I have not had to resort to paid restoration yet.
The best solution is to dump windows for Ubuntu Linux. I use Ubuntu to remove malware and viruses from Windows PC s all the time.
D’Arc Kingham,
Lots of mail has been sent asking for a Mac & Debian Linux version of PCpitstop scan… It would also be great in the Microsoft world if Google Chrome was used instead of Internet Explorer…
JR
I repair and maintain computers here in Spain and viruses are one of my new clients biggest problems, I can pretty much guarantee the majority will be running Norton, it is a resource hog and quite frankly doesn’t work, or at least not effectivley. Removal of the virus and Norton and installation of AVG and Malwarebytes for emergencies and periodic scans and a little advice and tuition has prevented problems for 95% of my clients. One piece of advise dont run more than one antivirus program you can pretty much guarantee they will conflict and prevent each other from working, and a question now for all you out there, why are these companies who use their so called antivirus software as a virus to illicit money get away with it, why are they not prosecuted and put in jail and made to pay compensation to all the people they have infected and this goes for anyone who advertises them also……????
I had “HDDSCAN” lock up my computer(McAfee didn’t catch it),I got a BSOD when I tried to restart. I installed the system on my slave drive, ran SuperAntispyware to delete the virus, deleted my temp files, but got the message”A disk read error occurred” when trying to reboot. I then ran demos of partition fix programs. I saw that the total sector count of the infected drive(320 gig) had been changed to that of the slave drive(150 gig). Since you have to pay for those programs to actually fix things, and I had no money, I tried to find a free program and came across “bootmaster”. It let me correct the sector count, then I ran a fixboot, and voila, everything is back to normal! Once before, one of those trojans renamed my hard drive, so I had to go into bios to fix it….I don’t know if this will work for you, since those trojans are very tricky and change all the time, but it’s something to check for before you loose all your data or pay someone alot of money