Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Anti-Spyware

Spyware is software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge; it has also come to include programs that engage in various kinds of electronic fraud. Anti-spyware is software that removes or blocks that software; some common vendors include Malwarebytes, McAfee, Spybot-Search and Destroy, Ad-Aware and BitDefender.

Share tech news, updates, or what's on your mind.

Sign up to Post

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
2
When ransomware hits your clients, what do you do?
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
5
 
LVL 30

Author Comment

by:Thomas Zucker-Scharff
Comment Utility
@McKnife - Thanks I'll include it.  Is it okay if I give attribution to you?
0
Doxware
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
2
Crypto Ransomware
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
5
The Ransomware Menace
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million dollar business.
5
 
LVL 64

Expert Comment

by:btan
Comment Utility
Recently there is also a ID ranswore toolkit which may be handy for identification though it may not be 100% since it is still signature based.
https://id-ransomware.malwarehunterteam.com/index.php
0
 
LVL 30

Author Comment

by:Thomas Zucker-Scharff
Comment Utility
Thanks for the link btan.  The one I am looking at, Ransomware Detection Service, is similar to the one you point to, but console based instead of web based.  Also it is more for looking at network shares and identifying where an infection originated than anything else.  It should be noted that the website you linked is indeed an ID website and specifically says:

Can you decrypt my data?

No. This service is strictly for identifying what ransomware may have encrypted your files

Which is pretty much the same as RDS.
0
Operating system developers such as Microsoft and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a firewall. Is this built in protection enough to keep threats at bay?
 
Many people do not realize modern day virus threats come in many forms. The viruses themselves haven't changed much, but the methods by which they infect computers are constantly evolving. Virus developers spend most of their time discovering new ways to infect computers with viruses rather than developing new types of viruses.
 

So what is a computer virus?

computerVirus-TrueIT.jpgA virus is essentially a self replicating file stored on a computer system that was not authorized by the user to be there. The behavior of the file may have varying characteristics. It may be used to collect, destroy or manipulate user data without their consent.
 
Fairly often the news discusses some new hacking attempt on a major computer system. Hackers can often break into these systems by planting viruses on machines that are connected to them. These viruses can collect data or give them access to files necessary to get deeper into the systems.
 

Are these threats real?


Companies such as Kaspersky, Norton and McAfee regularly publish virus infections as they are discovered. Norton actually has a threat security…
3
 
LVL 1

Author Comment

by:Tom Price
Comment Utility
Hello there Jim,

I've tried uploading the article before with links and 1 of the editors did not approved it...should i put back the links?

I will add some headers and ad an image.

Please let me know when the article was approved and "went live" ok?

Many thanks!
Tom.
0
 

Expert Comment

by:Jame Griffin
Comment Utility
Some computer viruses are programmed to harm your computer by damaging programs, deleting files, or reformatting the hard drive. Others simply replicate themselves or flood a network with traffic, making it impossible to perform any internet activity. Even less harmful computer viruses can significantly disrupt your system’s performance, sapping computer memory and causing frequent computer crashes.
0
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them against attacks.

For starters, let’s define what they are: virus and adware are two different types of malware, each exploiting different aspects of computing architecture to carry out their payload. Malware is simply a category used to refer to software designed to disrupt normal system operations, example of malware are: virus, adware, spyware, Trojan, rootkit, bot, etc.

Let’s go back to our original topic and go over what makes a computer virus a virus,  a Computer Virus is a malicious program that can replicate itself without user interaction by exploits Operating System, Applications, and software vulnerabilities. What the virus does after it’s been executed is another story, though the common denominator is that it’ll disrupt normal system operations and it will attempt to replicate itself.

Something interesting about computer virus is that as much as they can be sophisticated programs most of them pray on users’ vulnerabilities for the initial installation, also known social engineering. “Good” virus writers also study human behavior and emotions hence the I Love you Virus ,they plan their initial attack to align themselves with special occasions, dates, …
16
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Jorge,

This is an excellent article, but I am surprised that you did not correct more of the mistakes - they make it harder to read (I'm also surprised that a page editor didn't point that out).
0
 
LVL 7

Expert Comment

by:Yashwant Vishwakarma
Comment Utility
Another good article, voted YES.

Regards,
Yashwant Vishwakarma
0
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chrome), but not in others and in some applications only when I typed too quickly. What was, I thought, the oddest part of the whole thing was that the characters were random, in that if I held down a key it would generate a succession of characters, all different, one of which would eventually be itself. Odd....

I was immediately suspicious. Could this be malware of some type? Maybe a keylogger? I am fairly strict when it comes to my production machine and what I allow on it. I have multilayered security installed and several protection apps that work together to protect me from all kinds of malware. So what was happening? I scanned with everything under the sun.
 
  1. Malwarebytes Pro (with rootkit detection on)
  2. Chameleon
  3. Superantispyware
  4. SpyDLLRemover/SpyBHORemover
  5. Antirootkit software 
    1. F-secure
    2. Sophos
    3. Panda (pavark)
    4. RootkitRevealer
7
 
LVL 30

Author Comment

by:Thomas Zucker-Scharff
Comment Utility
Thanks. Hope it is solved.
0
 
LVL 30

Author Comment

by:Thomas Zucker-Scharff
Comment Utility
SOLUTION!! (when I first typed that it was totally unreadable)

It turns out that one of my security applications, HitmanPro.Alert, has a setting that is called Keystroke Encryption.  It is to protect you from keyloggers. When it is turned off my typing looks like this, but when I turn it on my typing looks like this: ywsrc2utfsbqi8d4mj62a2hsm5 (I typed "my typing looks like this ").  So if you run into this - check to make sure it isn't this app (now owned by Sophos, not Surfright, and called HitmanPro.Alert/cryptoguard/InteruptX)
0
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below.

1. Malware is blocking your specific application's name.


Since many of the common tools have fixed names - they may be blocked by the malware. Try renaming the applications executable name from (MalwareBytes example) 'mbam.exe' to 'virus.com'
Occasionally this will work and you can launch your executable as a malicious .com file type. Be sure to set it back when you are done

2. Malware is blocking all applications.


It is more common for malware to block all applications (and tell you that you are infected - while it itself is the infection). Try this: log off the current user. Now, log back in and press 'Ctrl'+'Alt'+'Del' repeatedly until you get the task manager. If you get it in time the malware will load after you have brought the task manager up. If you are familiar with the names that are non-malicious you should be able to easily identify the malware. Usually named with random numbers and letters from 8 – 14 characters long (fjh2efhn9.exe) You can end the process and search for the file – then delete it. While the primary infection may be gone I strongly recommend you download and run a tool like MalwareBytes to clean up the remnant files and registry entries.
You may be successful in bringing up the …
4
 
LVL 10

Author Comment

by:MPCP-Brian
Comment Utility
Younghv and rpggamergirl,
   I appreciate your comments do believe they have vailidity. There are situations in which a manual approach can still be beneficial. One example is working remotely - assuming the tools you mentioned are not loaded previously. It can occasionally be easier to manually work through it than it is to find a way to get the tools mentioned loaded.

If you are reading this article and you are not confident in your knowledge it is best to stick to the executables and pre-build scanners mentioned. If you feel comfortable or you are like me(a low level IT tech) and you can repair any damage you may inadvertently cause feel free to get your hands dirty.
0
 
LVL 10

Expert Comment

by:Arman Khodabande
Comment Utility
Yeah using automated apps are useful ...
But reading such kinds of articles adds to the knowledge of basic users and provides better understanding of what these utilities do...
I myself like to do the thing manually  although it may be a longer and harder way...  :D
Manual Malware fighting is my favorite...
(And I have a great respect for younghv and rpggamergirl, the leaders of this topic areas)

Anyway this is a good article
Thanks
0
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk also cuts down the removal tools scanning time. With this known info, malware writers created rogues that move files to that directory.

So now we have rogue software that will move user's files to the %temp%\smtmp folder.
Infected with this malware, you must NOT empty your temp folders nor run CCleaner or any temp file cleaners until you have fully removed the rogue and everything is back to normal.

So far, the Windows Recovery and Windows Restore rogues are the culprits but there could be other variants that do the same thing.
These rogues hide files and move desktop shortcuts and Programs startmenu shortcuts into this folder --> %temp%\smtmp, it then creates 4 subdirectories:

%Temp%\smtmp\1\ => Allusers Start Menu
%Temp%\smtmp\2\ => Allusers Quick Launch
%Temp%\smtmp\3\ => Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => AllUsers Desktop

If you did not empty your temp folder you can just retrieve those files from there. Or using restoresm.zip which will restore all the missing shortcuts. restoresm.zip
Extract the file, open the restoresm folder and doubleclick on restoresm.bat to run it.


The Cleanup
45
 
LVL 32

Expert Comment

by:willcomp
Comment Utility
@rpg -- I've seen where you recommended TheKiller in other posts. Will download and give it a try. Thanks.
0
 
LVL 47

Author Comment

by:rpggamergirl
Comment Utility
Thekiller is also pre-cleanup tool like RogueKiller that stops malicious and non-esential running processes and perfect for rogues like this one that hide files and moves shortcuts to smtmp folder, among its other features.
0
Enroll in September's Course of the Month
LVL 10
Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title.

Examples:
XP Antispyware 2012
XP Antivirus 2012
XP Security 2012  
XP Home Security 2012
XP Internet Security 2012  

Vista Antispyware 2012
Vista Antivirus 2012
Vista Security 2012
Vista Home Security 2012
Vista Internet Security 2012

Win 7 Antispyware 2012
Win 7 Antivirus 2012
Win 7 Security 2012
Win 7 Home Security 2012
Win 7 Internet Security 2012  

Proper repair of this malware is a 3-step process, using automated tools that are readily downloadable from the Internet.
1.      Fix the registry.
2.      Kill the rogue processes spawned by the malware.
3.      Run the scanner to find/repair/delete the infection.

Links to the tools are:
1.      FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
2.      RogueKiller (http://www.geekstogo.com/forum/files/file/413-roguekiller/)
3.      Malwarebytes (http://www.malwarebytes.org/) and
                TDSSKILLER (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)

Your first step is to fix the Windows registry to make sure that the applications (.exe files) you select to run will work properly. If you don’t fix this first, the infection will launch itself instead to the tool/scanner you are trying to run.

Next you have to stop the rogue processes that have taken control of your system. A related EE Article is here: …
26
 
LVL 14

Expert Comment

by:Rob Miners
Comment Utility
Oops, sorry mate I didn't mean to embarass you, and I'm well aware of the efforts of Russel Venable and rpggamergirls excellent contributions.
I've been out of the industry for a couple of years and its refreshing to come back to well documented information that is relevent to these current issues. I was impressed as it has helped me to get back up to speed in a relatively short time.
0
 
LVL 38

Author Comment

by:younghv
Comment Utility
rrjmin0 - Your comments were very flattering - as were Russell's. I guess I just need to enjoy it. As an aside, I just found out that I (or my grandsons) will be getting a new EE T-Shirt...which is always a cool thing.

The whole EE Articles concept has been a great idea. I will sometimes wander through some of the non-malware Zones and it is amazing to see the variety of 'right here, right now' usable advice that is posted.

Thank you for the comments.
0

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra)


Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”.

It’s kind of a no-brainer. “The following procedure works for me, so here is what I recommend that you do…”.

I believe that recommending methods that work for you (me) is exactly what Experts-Exchange is all about and it is the rule that I follow when posting advice.

When attempting to help one of our Members with a malware problem we need to be extremely cautious that any “My Way” advice is also consistent with the known best practices.

As Malware Experts, our first goal should be to identify which variant we are dealing with, and then provide the best known “safe” fixes to get the system cleaned and running properly.

The purpose of this Article is to discuss the procedures listed below. As in many areas of IT, there is often wide disagreement about “Best Practices” and I am hopeful that all reading this will join in a robust discussion of the topic.

This Article is the result of a lot of work by a lot of people. Unfortunately, the EE Articles process does not allow for "Multiple Authors", but this would have been impossible for me to put together without the extended technical advice of rpggamergirl and thermoduric.

Anyone even casually familiar with the Virus & …
35
 

Expert Comment

by:ptruswell
Comment Utility
Succinct and to the point @younghv; it is easy to forget that malware does have a mission, and in the time between infection and removal (which in some cases can be months if not years) that mission will be meeting its goals, be they to compromise data/identity/security/passwords etc etc.

When asked about Internet security I always respond by saying that all software solutions of this type are your second line of defense, the first being the human user; but when it comes to recommending products its a  case of "...well how many walls did the Romans usually build around British cities to defend them?  Answer: one."  I guess therefore that MSE+Win Firewall is the wall and MBAM is the moat!  Too much security technology is in my experience as bad as too little.

I am trialing MBAM Pro alongside MSE now.
So what am I on the look out for?...
Infection?  No.
Downturn in performance?  Yes.
So far so good :)

Prevention vs. Repair ...a great title indeed! :)
0
 
LVL 26

Expert Comment

by:Blue Street Tech
Comment Utility
+1 :)
0
The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away.

****************
For those familiar with basic “First Aid” principles, one of the first steps in a medical emergency is to “stop the bleeding”.

If you come upon an injured person, you don’t splint a broken leg first, right? You make sure air is flowing into the lungs, stop the bleeding, and then treat for shock.

After getting the basics out of the way you can then move on to address any other problems that exist.
*******************

Fighting Malware (http://en.wikipedia.org/wiki/Malware) must start with:


“Stop the Rogue Processes”


Most variants of malware will make your computer do something that you don’t want it doing. It might be a simple ‘re-direct’ problem; where you type in www.abc.com and your browser goes to www.xyz.com – not a big deal, right?

Well, maybe it is a very big deal. You didn’t end up at the web site you intended, and who knows what is waiting for you when to get to that re-directed site. It's not uncommon for malware to direct users to sites where they can pick up other "drive-by downloads" or even to install additional malware directly.

You might click on one of your favorite applications, but instead of “MS Word” opening up, totally different functions start happening.

Worse than…
27
 
LVL 38

Expert Comment

by:lherrou
Comment Utility
BillDL: It's =^_^=

("=" are the red cheeks)

(but the praise is deserved)
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
He, he.  Looks more like Para Wings. Thanks.  Where's this article? ;-)
0
To Remove Security Suite for Windows Malware from a Windows XP Machine:

 Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p)

Login as Administrator

Go to My Computer /Tools/ Folder Options/ View/  check mark the selection that says Show Hidden Files and Folders and then make sure you uncheck Hide Protected System Files.   That is very important b/c that’s where this particular variation hides!!
Then go to C:\Documents and Settings\User Profile infected\Local Settings\Application Data     Then in the Application Data Folder there was a folder called goijmdwag and one called awmdlrnuqiw.   I deleted both of those b/c when I opened the folders I found the offending program “Security Suite for Windows” in them.

Empty Recycling Bin

Run Regedit (to do this see: http://preview.tinyurl.com/yhph8yt ) On a side note, ALWAYS backup your registry before making edits to it.  You can render your computer USELESS with incorrect editing.  Once that is done, you will have to reinstall Windows.
Go to the Edit menu and select search.  A pop up box will show up and in your search, type in the offending files, in my case  “goijmdwag” and “awmdlrnuqiw”
These files can be located in the following hives:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
 
0
 
LVL 3

Author Comment

by:aimee1002
Comment Utility
I had tried Malware Bytes, Spybot, Symantec and TrendMicro and none of them completely cleaned the system.   After I cleaned the system with all 4 of these tools we still had issues, the infection would come back even though Windows Restore feature was shut off.   I did lots of research on the internet and couldn't find anything.   What I did find is that there were hidden folders with weird names that I know didn't belong on the system.  I deleted the files and then did a search on the registry to find that the offending malware kept reinstalling itself because of what hives it resided in the registry.   Once I cleared those up we haven't had any issues with the system.  
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I think most users would be better served to use the automated tools available here:
http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite

In virtually every instance, the automated tools do the delicate work of modifying the Registry entries properly and we don't have to worry about having one of those 'Oops' moments that can have some very serious consequences.

They will make sure that ALL of the needed changes are made (including the Proxy setting).

It should also be noted that there is a great deal more involved in repairing this infection than is described here.

For MBAM to be effective with this variant, you need to boot to Safe Mode (with networking) before starting.
0
I am often asked to remove malware from computers that have none.  It is useful to know what is and is not malware.  Malware is malicious software of any kind, this includes:
Spyware - Is generally software downloaded to a user's computer and attempts to collect information about the user without their knowledge.  One type of spyware is a keylogger (see below).  Wkipedia's definition
Computer viruses - this term is sometimes confusedly used to refer to any computer infection.  A computer virus must be able to reproduce itself and it is usually software which alters a file or files in order to cause harm to your computer.  Sometimes a virus will do nothing at all and sometimes it can completely destroy a hard drive - this is known as the payload.
Computer Worm - A worm is a self replicating piece of software.  Worms spread through a network with the need for little or no user interaction.  A computer worm can spread because the target system(s) is in someway vulnerable.  For instance, if a software or operating system patch has not been applied this leaves the system open for attack.  On our own network we experienced a worm spreading to computers which did not have a password on the default login.
Keyloggers - software planted on your computer to record keystrokes as you type and then send them off to a remote server (used for identity theft)
4
INTRODUCTION

"Virut" is a nasty, polymorphic file infector, and it infects every executable and screensaver file on access.  Some variant also infects .htm, html, .rar and .zip archives, and latest variants infects php and asp.  It patches system files .e.g., userinit.exe, winlogon.exe, svchost.exe, spoolsv.exe, explorer.exe, sfc_os.dll among others.

This virus will also open a backdoor and connect to an IRC server. It then joins a channel and waits for commands to download files and other malware.  It can also install a Trojan/Rootkit in the infected system.

Virut is a buggy file infector with destructive power; it destroys files. It infects files but not properly done (it misinfects because of its buggy code) so these files are corrupted beyond repair. Antivirus and other scanners can't clean the infected files so these are getting deleted instead and as a result programs will stop working.


METHOD OF INFECTION:

It gets in the System usually when the user uses P2P, browsing crack and keygen sites or visiting infected webpages. Files in the network shares will also get infected if accessed by a compromised machine with write access. It can also spread via Roaming profiles and removable media such as removable discs or USB drives.

SYMPTOMS:

Once the system is infected, you will notice that some programs no longer work, the system becomes sluggish, and you'll start getting errors as files get corrupted. You won't be able to open most …
31
 
LVL 38

Administrative Comment

by:younghv
Comment Utility
HSumlin -
I see that you were referred here in a recent technical question you posted.
"Articles" are here for general information and not for specific advice with problems.

You should respond only over in your original question - where there are some Expert suggestions waiting for you.

younghv
Page Editor
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
Like younghv, I've just realised that I have refered to this article several times in answers to questions, but forgotten to vote "yes".

Great article - really useful when trying to explain why a file infector is so problematic.
0

Anti-Spyware

Spyware is software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge; it has also come to include programs that engage in various kinds of electronic fraud. Anti-spyware is software that removes or blocks that software; some common vendors include Malwarebytes, McAfee, Spybot-Search and Destroy, Ad-Aware and BitDefender.