Friday, 31 May 2013

Protecting Against Rootkits with RKhunter (Rootkit Hunter)

When operating a Linux server, one of your primary objectives is to run a secure and healthy server. A hacker has several ways to compromise a server. One of these methods would be by installing a rootkit to gain easy access to your Linux server. A rootkit is design to hide malicious processes and files within your server which allows hackers to connect and use your server for illicit activities such has phishing, botnet controller, sending DDoS attacks, etc. Scanning regularly for rootkit is recommended to prevent further detrimental activities on the server. There are several rootkit scanners available for download but today we will focus on rkhunter, short for: The Rootkit Hunter project.

Rkhunter is a Unix-based tool designed to scan machines and/or servers for rootkits, backdoors, etc. It does this by running multiple tests which compare the local data with several signature databases. This tool has been designed to be fairly easy to use and can run tests in bulk or separately. The Rootkit Hunter project was initially created by Michael Boelen in 2006 but has been since taken over by a 3 person development team.

Rkhunter is a fast, complete and easy to use solution to mitigate rootkit and malware threats. Keep in mind that rkhunter is a passive rootkit scanner (it needs to be scheduled or run manually), which means that it won’t detect rootkit on the fly and it should not be intended as a preventive counter-measure in your Security Strategy. The Rootkit Hunter project should only be used as a post-incident tool to detect a breach of security that has already occurred. It is recommended to run often as part of a comprehensive and exhaustive security strategy. Rkhunter needs to be run in bash and with root access privileges. After each scan, scheduled or not, you will receive a comprehensive and detailed log result.

Rkhunter can be installed within minutes. In the following section, you will be provided with a simple step by step tutorial to install and then run your first scan of rkhunter. The test has been run from a GloboTech dedicated server located in Canada. Afterward, you will learn how-to run custom rootkit scans using this tool.

Download and Install RKHunter

cd /usr/src
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
tar zxvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0/
./installer.sh --layout default --install

Update RKHunter's Definition Database

Type “rkhunter --update “ to make sure your rkhunter database is up to date.

Run RKHunter for the first time

Type “ rkhunter -c --sk “ to run rkhunter for the first time. This will launch a manual scan and by adding “ --sk “ this will skip the keypress requirements after each section is done scanning. The “ -c“ flag will run.

This operation will result into a long log file with a summary of the scan at the end. Here is a sample of this output:

System checks summary
=====================

File properties checks...
Files checked: 137
Suspect files: 0

Rootkit checks...
Rootkits checked: 312
Possible rootkits: 0

Applications checks...
Applications checked: 7
Suspect applications: 0

The system checks took: 33 seconds

All results have been written to the log file (/var/log/rkhunter.log)

This is pretty straight forward to understand. By example, it’s reporting that it has scanned your system against 312 known rootkits and has found no existing threat.

Available tests options

Rkhunter offers several test options while launching a scan. Here is a list of the most popular tests with their definitions:

additional_rkts => possible_rkt_files possible_rkt_strings
group_accounts => group_changes passwd_changes
local_host => filesystem group_changes passwd_changes startup_malware system_configs
malware => deleted_files hidden_procs other_malware running_procs suspscan
network => hidden_ports packet_cap_apps ports promisc
os_specific => avail_modules loaded_modules
possible_rkts => possible_rkt_files possible_rkt_strings
properties => attributes hashes immutable scripts
rootkits => avail_modules deleted_files hidden_procs known_rkts loaded_modules other_malware possible_rkt_files possible_rkt_strings running_procs suspscan trojans
shared_libs => shared_libs_path
startup_files => startup_malware
system_commands => attributes hashes immutable scripts shared_libs_path strings

You can run concurrent tests with the following command: rkhunter --enable

By example if you would like to run a scan for the following test “malware, rootkits, additional_rkts, startup_files, other_malware”, you would type this command: rkhunter --enable malware,rootkits,additional_rkts,startup_files,other_malware --sk


Even if you are taking preventative measures not to have your server hacked, scanning your server with rkhunter is a good way to know quickly if your server has been comprised. By adding a cronjob to automate the scan on a daily basis with the results emailed to you, you can know and take action immediately when you are notified of a threat.

For further information, please refer yourself to the homepage of “The Rookit Hunter project” at following address: http://sourceforge.net/apps/trac/rkhunter/wiki/MPRKH#Contents

System Doctor 2014 Virus Removal Guide

System Doctor 2014 malware is a very serious problem and one that can have huge knock on effects on everything from your files to your online bank account. Read on as we tell you a little more about this rogue security software and the things you need to look out for so that you can protect yourself against it.

Every computer should have a decent anti-virus or security software program installed and hackers know this, which is why unscrupulous computer programmers have marked it out as a lucrative business and one which they can exploit for their own gain. Generally speaking there are three ways they can do this. Let’s take a look at what they are:

One: by profiting from the sale of rogue security software that simply doesn’t work.

Two: by selling fake security software that contains malware that has been programmed to steal your personal data so they can commit identity theft or plunder your bank account, System Doctor 2014 is a great example.


Three: by selling rogue security software that contains malware that has been programmed to steal your personal data so they can sell your personal details, bank account information or credit card numbers on to a third party.

It’s a win win situation for these cyber criminals as they are not only getting paid for an ineffective program which took them little or no effort to create but many of them are stealing your personal information too.

And if you are a victim not only are you paying for a useless program and leaving yourself vulnerable to bank account fraud or identity theft, but the malware can also do serious damage to your computer’s operating system by infecting it with a virus which can lock down your system, destroy your web connectivity or corrupt your files. Not to mention that it display very annoying security center alerts claiming that your computer is infected.


So how does this fake antivirus program work? Firstly, the malware will be called something that is very similar to genuine security software in an attempt to get you to download it. This of course is an obvious ploy but how many of us know all the names of real security software brands anyway? System Doctor 2014 credible sounding, right? Wrong: it's a rogue security application.

The cyber criminals are clever marketers too and will further attempt to fool you and entice you in to buying their program by offering you ‘free’ or ‘trial’ versions of the software or by advertising ‘free upgrades’.

They may also target you with fake pop-up windows that warn you that your computer is infected with a virus or is running slowly because you have unnecessary files stored on your hard drive – and they’ll tell you that by clicking on the window you’ll be able to clean your computer.

Another sneaky way of attempting to get you to download their fake security software is by manipulating search engine results pages so that their own infected website appears as the top result. The majority of us click on the first search result so for a rogue malware programmer this is highly effective. Once you click on the link you’ll be redirected to a home page which will tell you that your computer has a virus – oh but help is as hand because they just so happen to have a free trial for their (rogue!) security software right there.

Another thing to look out for is spam email from so-called software security companies who will send you the bargain of a lifetime – if you just click on the link that they’ve sent you.

So apart from being alert, how else do you protect yourself and make sure you don’t become a victim of one of these scams? Firstly having a genuine security software or anti-virus program installed on your computer is an absolute must. If you’re not sure which names to look out for and are now paranoid about being duped speak to a friend who knows a little more about computers, ask in your local PC store or read online PC magazines to get an idea of what to look for. However it’s not enough just to have security software installed; you also need to make sure that it is up to date and has the latest patches.

Put simply, if you have an outdated anti-virus or worse you don’t have ANY security software installed – do it right now! If you have encountered this malware, please follow the System Doctor 2014 removal guide below. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com


System Doctor 2014 removal instructions in Safe Mode with Networking:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Open Internet Explorer and download TDSSKiller. Run the utility and click Start Scan to anti-rootkit scan.

3. Then download recommended anti-malware software (direct download) and run a full system scan to remove the rogue program from your computer.


Manual System Doctor 2014 removal instructions:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Right click on the "System Doctor 2014" icon, click Properties in the drop-down menu, then click the Shortcut tab.



In the Target box there is a path to the malicious file. You can simply click the Target button to open the target folder.



NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data/Program Data directory.

3. Remove malicious files.

File location, Windows XP:
C:\Documents and Settings\[UserName]\Application Data\[RandomFolder]\[random].exe

File location, Windows Vista/7:
C:\Users\UserName\AppData\Roaming\[RandomFolder]\[random].exe



Delete the entire folder or at least the main executable file which in my case was RLViNf4K.

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove System Doctor 2014 virus from your computer.


System Doctor 2014 associated files and registry values:

Files:
  • C:\Users\UserName\AppData\Roaming\[RandomFolder]\[random].exe (Win Vista/7)
  • C:\Documents and Settings\[UserName]\Application Data\[RandomFolder]\[random].exe (Win XP)
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
Share this information with other people:

Thursday, 30 May 2013

Remove oyodomo.com pop ups and redirects (Uninstall Guide)

Have you ever been innocently browsing the web then found that all of a sudden your web browser shows unsolicited oyodomo.com pop ups that you’ve never set eyes on before? If so you may quite rightly be wondering where on earth they came from.

Unfortunately it sounds like you’ve been the victim of browser hijacking – when a third party commandeers your browser, reconfigures the settings, adds their own extensions and has possibly, very kindly, saved you some new ‘favourite’ links to websites that you’ve never visited before. If something called "oyodomo.com" keeps popping up then your computer is infected with adware/PUP that hijacks your web browser and either display pop up or redirect your Google searches to some random search engine and may even slow your computer. Pop ups may come up every ten minutes or whenever you open a new tab. Needless to say, this can be really disturbing.


What is the reason behind someone wanting to attack your computer and display pop ups or redirect your search results? Put quite simply it’s all about the money. There is a whole culture of cyber criminals and hackers who are working behind the scenes to attain financial gain by infecting regular computer users like you and me with their browser hijackers and similar malware. But how do these hackers actually make their money? Well they might direct you to a website of their choosing, hoping that you’ll click and spend, either for their personal finances or for someone else’s.

Creators of oyodomo.com are usually, unfortunately for us, pretty good at what they do too, with many of them changing their coding on a frequent basis so that they can avoid being easily detected by antivirus software. But it's very important to understand that the website itself isn't malicious. The main problem is misleading ads and redirects that may lead you to malware and other PC threats.

However, it’s not just drive-by downloading that can install unwanted software and adware on your computer – as computer users we can also be responsible for unwittingly causing havoc with our very own systems. For example a lot of freeware, shareware and even some commercial software programs will also try to sneak an unwanted browser tool bar past you when you’re downloading them. The trick here is to pay attention! Most of us are guilty (I know I certainly am) of downloading something and being so eager to install it that we don’t pay any attention to the End User Agreement, i.e. the setup screen that asks you if you want to opt out of certain add-ons.

A good example of this is Java. When you update your version, if you don’t uncheck one of the boxes in the set-up window, you'll also install the Yahoo tool bar. Now, Yahoo is a reputable company and their tool bar is not spyware and is easily uninstallable, however it’s possibly something that you didn’t want added to your browser.

Therefore the three rules to abide by are: read the small print when downloading or installing, don’t click on links or pop-up boxes if you’re not sure what they are – and of course - make sure your PC’s antivirus software is always smack bang up to date. Now, to remove malware that causes oyodomo.com pop ups and redirects, please follow the removal guide below. All you need to do is remove recently installed adware and malicious web browser extensions. And of course, you should scan your computer with recommended anti-malware software ti make sure that your computer is clean. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com


oyodomo.com removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Uninstall recently install applications including web browser extensions and related programs from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove DownloadTerms, LyricsPal, HD Flash Player and any other recently installed application.



Simply select the application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove oyodomo.com from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove DownloadTermsLyricsPal, HD Flash Player or any other recently installed extension.




Remove oyodomo.com from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Remove DownloadTermsLyricsPal, HD Flash Player or any other recently installed extension. Close the window.


Remove oyodomo.com from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons.




2. Select Toolbars and Extensions. Remove DownloadTermsLyricsPal, HD Flash Player Internet Explorer add-ons.

Tuesday, 28 May 2013

Remove The United States Courts Virus (Uninstall Guide)

One of the newest scams around at the moment and something we all need to be aware of is the United States Courts virus (your computer has been locked) which can not only have a financial impact upon you but can have a devastating personal effect too. As with most malicious software – or malware for short – ransomware has several different strings to its bow so to speak and one of the most cunning is something known as police themed ransomware. Whether you think this sounds official and law abiding or decidedly sinister (you’d be right about the latter) read on as we explain what the United States Courts ransomware is, and how it can affect you personally, your bank account and your computer.

Whilst being physically kidnapped is probably not a major concern for most people reading this (unless you’re the child of a high profile celebrity, in which case, ‘hi’!) most of us probably don’t realize that our computers – and our personal files and documents - can be hijacked or kidnapped too.


We’re all aware of computer viruses and, yes, they can be very problematic but there’s now an even more worrying trend in the world of computer crime to be aware of and that’s ransomware – or, as it can also be called, scareware, cryptoviruses, cryptotrojans and cryptoworms.

So what is ransomware, and in particular the United States Courts ransomware, how does it find its way onto our computers and how can we get rid of it if we’re unfortunate enough to fall prey to it?

As the name suggests, the United States Courts virus infects your computer, holds your personal data and documents for ransom and then asks you to pay in order for them to be released. It falls into the category of a drive-by virus because it’s malware that has installed itself on your PC or laptop without your knowledge or permission when you visited an infected or compromised website.

For example, there is a fairly recent malware called Reveton which is a good example of law enforcement ransomware. Let’s say you’re using your computer, innocently browsing the web, doing some work, researching vacation destinations…and suddenly your computer freezes and a message from your local police force or national law agency or in this case United States Courts displays on your screen. This message will look like the real deal with logos and authentic sounding wording. It will tell you that you’ve been caught viewing, accessing, storing or downloading illegal content on your computer - and it will ask you to pay a fine in order for your PC to be unfrozen. The fake messages says:
United States Courts
YOUR COMPUTER HAS BEEN LOCKED
Criminal Case NO. 4:12CV072011
Illegally downloaded material (MP3's, Movies or Software) has been located on your computer.
By downloading or uploading, those files have been reproduced, thereby involving a criminal offense under 17 U.S.C.A. SS506(a) and 18 USCA SS2319 (2)(A)(B).
. . .
All of your files have been encrypted, any attempt to unlock your computer by yourself, will result in loss of all your data.
This program is maintained by the Administrative Office of the U.S. Courts on behalf of the Federal Judiciary.
The fake message also warns that you have only 48 hours to pay the 'fine' which is $300 or some times even more. The 'fine' can be paid using MoneyPak.

Naturally this is extremely worrying and your first instinct is to panic and search your memory for what website or content could possibly have triggered such a message. And your second instinct might be to pay up – either because you have looked at adult content recently – or whether you have or haven’t, are too embarrassed to seek help from a computer professional. Using something that potentially could cause emotional distress or cause issues in a relationship is exactly what the cyber criminals want as they hope to get you over a barrel.

These days the United States Courts virus is becoming even more sophisticated as it knows which country you are in and will display a message in your local language. There have even been reports of ransomware and other malware that have personalized voice messages and other sound effects, as the hackers tighten their grip and try to make their scams even more convincing. Not to mention that the virus may turn on your web cam and take a picture of you.

So what should you do if you’re the victim and your PC has been infected by the United States Courts MoneyPak virus? Number one: do not pay. Not only are you helping bank roll a scam (some of these criminals earn hundreds of thousand dollars a month thanks to their malware) but there’s no actual guarantee that they will unlock your system and release your files once you’ve paid; after all these are hardly the most trustworthy of people and there have been many reports of the hacker simply receiving payment and then moving on to their next victim without bothering to return your computer back to normal.

Your best bet is to follow the United States Courts virus removal guide below or to take your computer to a known local computer store and ask them to take a look at it and try and unlock it, or alternatively you could call your antivirus software program’s customer help desk as they should be able to advise which strain of ransomware has infected you and will be hopefully able to give you a step by step guide to removing it.

And on that note, let’s just impress upon how important it is to have reputable and up to date antivirus software installed on your computer! If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com


Method 1: The United States Courts virus removal instructions using System Restore in Safe Mode with Command Prompt:

1. Reboot your computer in "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the United States Courts virus will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the virus.


Method 2: The United States Courts virus removal instructions using System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the United States Courts virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the virus.


Method 3: The United States Courts virus removal instructions using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake United States Courts screen.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the United States Courts virus.


Method 4: Manual United States Courts virus removal instructions Safe Mode (requires registry editing) :

1. Unplug your network cable and manually turn your computer off. Reboot your computer in "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. When Windows loads, open up Windows Registry Editor.

To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Administrator. If you are using Windows XP/2000, go to StartRun... Type "regedit" and hit enter.

3. In the Registry Editor, click the [+] button to expand the selection. Expand:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



Look on the list to the right for an randomly named item. Write down the file location. Then right click the randomly named item and select Delete. Please note that in your case the file name might be different. Close Registry Editor.

In our case the malicious file (pg_0rt_0p.exe) was located in Application Data folder. So, we went there and simply deleted the file. We're running Windows XP.

File location: C:\Documents and Settings\Michael\Application Data\



If you are using Windows Vista or Windows Seven, the file will be located in %AppData% folder.

File location: C:\Users\Michael\AppData\Romaming\

Finally, go into Windows Temp folder %Temp% and click Date Modified so the newest files are on top. You should see an exe file, possibly with the name  pg_0rt_0p.exe (in our case it was exactly the same), but it may be different in your case. Delete the malicious file.

One more thing, check your Programs Startup list for the following entry:

[UserPATH]\Programs\Startup\ctfmon.lnk - C:\Windows\system32\rundll32.exe pointing to [UserPATH] \Temp\wpbt0.dll,FQ10 (or FQ11)

In our case it was ctfmon.lnk pointing to malicious file which then loads the fake ransom warning. Please note that in your case the file name might be different, not necessarily ctfmon.lnk. Simply disable or remove (if possible) such entry and restart your computer.

4. Restart your computer into "Normal Mode" and scan the system with legitimate anti-malware software.

5. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of United States Courts virus.

To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).

Remove "Internet Security 2014" Malware (Uninstall Guide)

Internet Security 2014 is software which purports to discover and clean viruses, spyware and malware from your computer’s system. Since it's a rogue antivirus, it doesn’t actually do that. But it does look like something Windows would install. It either doesn’t work or it actually infects your computer with the very thing it is pretending to protect you against! This scan will also start straight away when logged into Windows.

So how can you tell the difference between genuine antivirus software and malicious fake antivirus software? And what should you do if you suspect that your computer has been infected? Read on and we’ll take a look at how even if you are sceptical you can still fall victim to the scammers.


Have you ever been surfing the web when suddenly a pop-up window or alert appears on your screen either telling you that you have unnecessary items on your PC that are slowing it down, or even more worrying, that you’ve been infected with a virus? This alert may look like it comes from your antivirus software provider or it may come from one you’re not aware of – but regardless it looks real and anyway, why should you think otherwise?

However, even if you are suspicious or even if you think, ‘I’ll deal with that later’ you may be tempted to click the little ‘x’ in the right hand corner of the pop-up to get rid of it. But stop – don’t because even ‘getting rid’ of the pop-up can cause untold trouble and computer issues. You may have now started seeing pop-up adverts all over your screen, maybe your screen has frozen, perhaps you can’t access your programs or documents. What has happened is that your whole computer has been disabled.

Some hackers do this purely because they can – we can only assume it’s their version of having ‘fun’, however the majority of hackers are running a scam and want to trick you into buying fake antivirus, in this case Internet Security 2014 designed to protect. Again, you’re happily browsing the internet or busy working when, hello again , our friend the virus warning alert pops up. Just as before, it may look like it’s come from your own antivirus company or it may be one you don’t recognise. You might be tempted to let it scan and clean your system for you but what it will actually be doing is simply showing you a fake scanning screen – the result of which will be to pronounce that, yes, you have been infected by Win32/Blaster.Worm and hundreds of other viruses.



What you will then see is a window from Internet Security 2014 who will attempt to frighten you into paying to have your computer ‘cleaned’ by asking if you want them to get rid of the virus or if you want to continue working on your infected computer. Of course, most of us will panic and hand over our credit card details. So now we’ve got two issues: one is that we’re paying for something that wasn’t a problem in the first place and, two, we’re handing over sensitive information to a scammer.

And it gets worse because some fake antivirus software even installs rootkits onto your computer so that it can log your key strokes and/or take screen shots so that your passwords, log-ins, credit card details and other private data is collected. The hackers will then use this information to plunder your bank account, spend on your credit card or commit identity theft. Alternatively they may sell the information on to a third party. Recently, scammers started to use Sirefef malware to block genuine malware removal programs.

A rogue virus alert comes from a program called Internet Security 2014, which is malware that takes over the control of your computer. So how do you stop yourself downloading rogue software unwittingly? The first rule is not to open any email attachment or click a link in an email that comes from someone you don’t know. No matter how enticing the title, do not be tempted. You might think it’s a harmless link that just wants to direct you to a website that’s selling something but it could actually be a way of installing malware on your computer. And definitely don’t click on pop-ups advertising antivirus software!

Last, but not least, the fake antivirus program blocks web browsers and Windows utilities, even Notepad to protect itself from being removed. It simply annouces that your web browser or any other program ins infected with Win32.Blaster.Worm. As an additional protection module Sirefef may be used making the infection even more complicated to fix. To remove Internet Security 2014 malware from your computer, please follow the removal guide below. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com


Manual activation and Internet Security 2014 removal:

1. Choose to remove threats and manually activate the rogue antivirus program. Enter one of the following codes:

Y68REW-T76FD1-U3VCF5A
Y86REW-T75FD5-U9VBF4A
Y76REW-T65FD5-U7VBF5A
Y86REW-T75FD5-9VB4A
SL55J-T54YHJ61-YHG88

(and fake email) to activate Internet Security 2014.



2. Then download recommended anti-malware software (direct download) and run a full system scan to remove this malware from your computer.


Internet Security 2014 removal instructions in Safe Mode with Networking:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Open Internet Explorer and download TDSSKiller. Run the utility and click Start Scan to anti-rootkit scan.

3. Then recommended anti-malware software (direct download) and run a full system scan to remove the rogue virus from your computer.


Manual Internet Security 2014 removal instructions:

1. Right click on the "Internet Security 2014" icon, click Properties in the drop-down menu, then click the Shortcut tab.



In the Target box there is a path to the malicious file.



NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data/Program Data directory.

3. Rename malicious process.

File location, Windows XP:
C:\Documents and Settings\All Users\Application Data\amsecure.exe

File location, Windows Vista/7:
C:\ProgramData\amsecure.exe



Rename amsecure to virus or whatever you like. Example:



4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove Internet Security 2014 virus from your computer.


Internet Security 2014 associated files and registry values:

Files:
  • C:\ProgramData\amsecure.exe (Win Vista/7)
  • C:\Documents and Settings\All Users\Application Data\amsecure.exe (Win XP)
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security 2014"
Share this information with other people:

Monday, 27 May 2013

What is BCHelper.exe and how to remove it?

BCHelper.exe - Browser Companion by Blabbers Communications LTD


What is bchelper.exe?


DefaultTabSearch.exe is a part of the BrowserCompanion PUP/Adware. It's not essential for Windows and may cause problems, for example slow down your computer or displays the following error message at Windows startup "BCHelper.exe - system error". Very often this happens because sqlite3.dll is missing or corrupted. What is more, this program runs in the background and periodically checks for updates. It may display advertisements on your computer and download additional adware/spyware onto your computer without your knowledge. It may also collect information about the website you visit and things you like. Later this information may be used to deliver targeted ads to you while you surf the web. ESET, Trendmicro, Malwarebytes and some other anti-malware programs detect this program either as adware or Trojan generic. Usually, it's detected as Win32/BrowserCompanion.A or PUP.Blabbers. I recommend you to remove BCHelper.exe from your computer.







File name: BCHelper.exe
Publisher: Blabbers Communications LTD
File Location Windows XP: C:\Program Files\BrowserCompanion\bchelper.exe
File Location Windows 7: C:\Program Files (x86)\BrowserCompanion\bchelper.exe
Startup file: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 'Browser companion helper'

File "contained a virus and was deleted" removal, Sirefef blocks downloads in IE9/IE10

"[filename].exe contained a virus and was deleted." message may occur when your computer is infected with the Sirefef (ZeroAccess) malware. So, every time you try to download antivirus software onto your computer, even from Microsoft's website, this malware announces the program has a virus and will not allow you to download it. It may block other programs as well, for example CCleaner. You may end up in a situation in which you can't download a thing. This new anti MSE/Windows Defender module affects Windows 7/8 users using Internet Explorer 9 and 10. Here's an example of the fake Sirefef message I got when trying to download SUPERAntispyware onto my computer:


Self-defense modules are nothing new for the Sirefef malware which generates revenue for the cyber criminals, mostly by mining for bitcoins and perpetrating click-fraud. The current malware dropper changes security permissions, removes or corrupts Windows Defender, disables Windows "Action Center" and then drops the payload of the Blackhole Exploit Kit (most of the time, but may be anything else). As far as I can tell the payload hasn't changed, so it seems that cyber criminals decided to improve self-defense modules and keep as many infected computer as possible. By the way, just a few days ago Microsoft announced that roughly 500,000 machines were cleaned of Sirefef. Maybe this is how cyber criminals try to fight back.

In order to fix "[filename].exe contained a virus and was deleted." infection and stop this fake message from showing up and blocking software downloads you need to remove the Sirefef malware from your computer. If you are using Microsoft Security Essentials or Windows Defender you will have to reinstall them. Since you can't use these programs to remove Sirefef you will have to download the programs listed below using Chrome, Firefox or any other web browser. If you can't then download the files requested in this guide on another computer and then transfer them to the infected computer. To remove this malware from your computer, please follow the removal guide below. If you have any questions, please leave a comment. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com


Sirefef malware removal instructions:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download recommended anti-malware software (direct download) and run a full system scan to remove Sirefef malware from your computer.

3. Reboot your computer as normal. Download and run TDSSKiller. Press the button Start scan for the utility to start scanning.



4. Wait for the scan and disinfection process to be over. Then click Continue. Please reboot your computer after the disinfection is over.



5. Download the ESET ServicesRepair utility and save it to your Desktop. Double-click ServicesRepair.exe to run the ESET ServicesRepair utility. If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.

6. If you are using Microsoft Security Essentials, you should reinstall it.

7. That's it! You should be able to download software without any problems and fake virus notifications. If you still have problems, please leave a comment below.

Friday, 24 May 2013

Remove kaq.pagerte.net pop-up ads, removal instructions

If you are constantly getting pop ups from kaq.pagerte.net asking you to upgrade Flash Player then your computer is infected with adware and potentially unwanted programs. But don't worry, this page contains removal instructions for the kaq.pagerte.net virus. OK, so first of all, what is adware? If you’ve heard the term but are not quite sure what adware is and how it can affect your computer read on as we explain. At its ‘best’ adware is annoying; adware is short for advertising supported software and just as TV stations and magazines use advertising to generate income, adware is a tool for developers of software to recoup some of their development costs by offering advertising to their clients. The adware will be integrated with the software package that the end user either uses or downloads.

What is kaq.pagerte.net? It's an ad server which means it serves ads to end users depending on certain signals, for example user location. To the end user pop-up adverts materializing on the screen when you’re trying to work can be just plain irritating. And that’s not all because adware can have a hidden side that goes beyond advertising.


What this means is that the adware is now letting adverts be automatically displayed on your PC without you having given your permission. And whilst this is an invasion of privacy it’s not actually doing you any harm. Or is it? Well, yes it can in fact be causing a whole lot of damage because some adware also collects your personal data. Known as spyware, this is where adware gets nasty. In its most innocent format spyware will be tracking which websites you browse so that it can display adverts that it thinks are tailored to your interests. Obviously this is done with the hope of you being more likely to click on the ad and make a purchase or at least visit the advertiser’s website. In this case, users are getting loads of ads from kaq.pagerte.net asking them to install an update to Adobe Flash - although it is clearly illegitimate. Remember, install Flash from the official site ONLY! This is the reason why kaq.pagerte.net is reported as a virus. For example, Norton Antivirus detects these pop-up ads as Adware.Singalng. You may get similar notifications from your antivirus, especially if you installed the FindLyrics or LyricsPal extensions (add-ons) by mistake. From what I've seen so far, this malicious extension is the main cause of the fake Flash Player popups. FindLyrics is packaged with freeware – a software that initially seems like a great deal as it’ll be free.

So whilst adware can just be a nuisance the main problem with it is that it can be a form of spyware. It can get a little tricky to tell the difference between adware, freeware and malware because they do share certain characteristics and can overlap. Generally speaking, if FindLyrics, LyricsPal or any other similar adware has been installed on your computer without your knowledge it is considered spyware. Not to mention that it is also popping up advertisements from kaq.pagerte.net. But how does it get there in the first place? Let’s say you’re downloading something and you get the little ‘end user agreement’ window on your screen. Most of us check the "I agree" box without given it any further thought or without reading the small print. Don’t: this is how adware can be installed but if adware is integrated with the program you’re installing it will normally say so in the agreement – you just need to spot it and check or uncheck the box accordingly. Or don’t download it at all!

So that’s one way of protecting yourself, your data and your sanity against adware, spyware and other unwanted software but what else can you do, after all the last thing you want is to fall victim to identity theft. There are a couple of other things to bear in mind. Never open an email or click on links sent by people you don’t know – no matter how tempting the deal or offer sounds. Secondly make sure you have reputable anti-virus software installed on your computer and that it is always up to date with the latest patches. You may also want to consider installing advert blocking software for extra peace of mind too. To remove kaq.pagerte.net from your computer, please follow the removal guide below.

Written by Michael Kaur, http://deletemalware.blogspot.com



kaq.pagerte.net removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Uninstall FindLyrics, LyricsPal and related programs from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove FindLyrics , LyricsPal and any other recently installed application.



Simply select the application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove kaq.pagerte.net from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove the FindLyrics, LyricsPal or any other recently installed extension.




Remove kaq.pagerte.net from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Remove FindLyrics, LyricsPal or any other recently installed extension. Close the window.


Remove kaq.pagerte.net from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons.




2. Select Toolbars and Extensions. Remove DnsBasic, LyricsPal Internet Explorer add-ons.