Saturday, July 30, 2011

How can I tell if my computer is infected?

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
My anti-virus program found and removed a virus from my PC. I've also run several anti-spyware programs. They found and removed like 10 or more Trojans from my computer as well. My antivirus program says I'm clean and protected and it doesn't really seems to be a virus on my PC. However, I can't just use every possible security product to make sure that my computer is completely virus-free. I don't want to format the hard disk and reinstall Windows either. I'm just wondering if I'm infected or not? How can I tell if my computer is infected? Thanks.
More and more people are using computers nowadays, however not everyone is paying too much attention to its security and some of them even have no clue whether or not his/her computer is infected. Of course, if you don’t see any obvious symptoms of infection, you may think that your PC is virus-free at the moment, but are you sure?

The truth is that there’s no way to prove that your computer is absolutely clean. You may use every possible scanner or bunch of up-to-date tools, but the possibility of infection still remains. You will probably agree that no tool catches everything. So how can you be sure about your computer?

For instance, let’s take the most common symptoms of malware infection:
  • warnings from your anti-malware software,
  • unusual activity on your system,
  • slower computer performance,
  • occurrence of unauthorized remote connection,
  • inappropriate internet speed,
  • questionable pop-ups telling you that your computer is in danger and needs a scanner or other program you’ve never heard of,
  • problems with booting or rebooting before login and etc.
Actually, everything that is mentioned above might be a symptom of infection and might be not. In other words, occurrence of these symptoms not necessary means that your computer is infected as well as not having them won’t guarantee that your machine is totally clean. Even if your computer works perfectly, it doesn’t prove anything. You might be OK and might be not. There’s simply no way to know.

The news, obviously, isn’t very exciting… But what can you do? Well, at first you should stop claiming that your PC is virus-free, and second, you should do everything to increase this likelihood greatly. Basic steps are presented below:
  • install and run and anti-virus program, always check if this software is still valid and database is up-to-date,
  • use only licensed software programs and don’t forget to update them (in case any vulnerabilities, discovered after purchase, will be corrected),
  • chose adequate firewall settings (control the software and hardware which is using a router),
  • be careful when sharing information with other computers, because one infected computer may spread its infection to others through the connection channel,
  • use your PC rationally.
The last point refers to your activities and consciousness. No one will help you if you keep on opening spam or unsolicited attachments, surfing through unsafe websites and other places where you can easily get malware, spyware or virus infection. It is strongly advisable to be careful with internet content as well as with CD’s, USB sticks or other input devices before opening and using them.

To sum up, no tools or safety measures can protect you from yourself. But if you follow all recommendation honestly, you will be able to say that your computer is as clean as possible.

Share this information with other people:

How do I know if I have spyware on my computer?

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
I think my boyfriend has installed a keylogger or some sort of spyware on my desktop computer which tracks what I type. I suspect he wants to find my Facebook and e-mail passwords. He's a bit jealous and our relationship is like a roller coaster. Sometimes I just find it hard to love him. Anyway, a few days ago I asked him to help me with my computer. It took him about an hour to fix my PC. An hour is plenty of time to install spyware on a computer I guess. I did a full scan with my anti-virus program and it says my computer is clean. Is there anyway I can find out if spyware is installed on my computer? Anything helpful would be appreciated.
Currently, various computer activities are carried out daily – from chatting with friends to accessing your online bank account. However, since these activities contain personal information about you, anyone, who has an access to your computer, may install a spyware program on it purposely. Actually, this kind of program gives an opportunity for installer to hack your personal data (such as account logins and passwords, etc.) and/or to monitor your activities (the list of visited websites, screenshots and etc. are available). It is not only destroying your privacy, but also may have serious consequences (e.g. empty bank account, changed passwords), so if you suspect anyone, for example your boyfriend or ex (fairly common), spying on you, keep reading and get some advices.

Of course, the simplest solution to detect and clean spyware is to show your computer for a normal technician. However the easiest way is usually not the cheapest one and therefore here is something you can try before spending a lot of money. Basically, the best thing you can do is to format the hard disk(s) and reinstall Windows or any other OS you are using. The negative side of this decision is that you have to refuse all your data. Well, you can save it in other device and then copy it back, but doing that might affect the final result negatively. The fact is that some spyware programs can be hidden in your files, restoring them will bring back the spyware together.

In case you have no wish to erase all your data or you want to save at least some of it, you may consider using anti-spyware programs. Most of them are rather effective against commercial and non-commercial (e.g. created by your ex or other malicious people) spywares. Unfortunately not every program is able to detect all kind of spywares, but using at least one, will greatly reduce the risk of infection and/or will help to detect already infected places by scanning them. We recommend using this anti-malware software. It usually catches keyloggers and spyware very effectively.

Sadly, despite of all your efforts, there are no guarantees that this will definitely recover your privacy and safety. It is only recommendations which are supposed to help you in the beginning. And if you still (after taking all above mentioned means) have a feeling like being spied on, then it is probably wise to invest some more money for professional analysis of your PC.

Share this information with other people:

Thursday, July 28, 2011

Remove "Your computer is infected with Spyware!" Alert (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
We understand that sometimes it could be difficult to distinguish between legitimate security alerts and fake warnings saying that your computer is infected with spyware, adware, Trojans and other malware. Rogue security programs and similar scareware use fake security alerts to trick users into paying for completely useless security software or installing additional malware files on the compromised computer. Yesterday we stumbled upon some fake security alerts and error messages that we thing are worth mentioning here. "Your computer is infected with Spyware!" is a fake alert caused by malicious software, specifically a Trojan horse. Here's how the fake error notification about spyware looks like:
Error
Your computer is infected with Spyware! Detected malicious programs can damage your computer and compromise your privacy. It is strongly recommended to remove them immediately.


First thing that should caught your attention is the title of this security alert. Error. What does this say to you? Probably nothing because it's unclear what causes this alert. Is this your anti-virus software or maybe it's Windows system notification? If you can't tell that right away then it might be a sign of malware infection on your computer. In such case, you should scan your computer with legitimate anti-malware application. Here's another example:
Error
Surfing without protection tool installed may cause spyware intrusion through security holes in the Web browser or in other software.


Very often, cyber criminals use fake system warnings from the system tray saying that Spyware protection is disabled or your sensitive information can be stolen to make users think that they should install some sort of computer protection software. Here are some examples of fake system warnings:
System warning
Spyware protection is disabled. Your personal data is at high risk of being stolen or misused.

System warning
Keep your computer safe from viruses and malicious programs that can slow down or break your system


Such fake security alerts are very common right now. You should always check twice before clicking on suspicious notifications or running potentially unwanted applications; otherwise you may end up with heavily infected computer. If you're experiencing such fake security alerts, please scan your computer with anti-malware software listed below. If you have any questions or need help removing malware from your computer, please leave a comment below. Good luck and be safe online!


"Your computer is infected with Spyware!" removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Associated "Your computer is infected with Spyware!" files and registry values:

Files:
  • C:\Documents and Settings\[UserName]\Desktop\FakeAV\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\LocalService\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].exe

Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\[SET OF RANDOM CHARACTERS].exe
Share this information with other people:

Wednesday, July 27, 2011

Norton AntiVirus ENHANCED PROTECTION MODE

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"Norton AntiVirus ENHANCED PROTECTION MODE" is a fake security alert that pretends to be a notification from Norton AntiVirus about virus detected on your computer. However, Norton doesn't have such protection mode, so this security alert is obviously fake and hides the presence of the malware in the system. If you've got this fake security alert then your computer is infected by a Trojan Horse.


Norton AntiVirus
ENHANCED PROTECTION MODE
Attention!
Norton AntiVirus operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
The Trojan horse displays this fake Norton AntiVirus update notification too.



The fake security alert runs from (command line): C:\WINDOWS\update.tray-10-0-lnk\svchost.exe tray 10-0 1

In order to remove the Trojan that causes the fake Norton AntiVirus ENHANCED PROTECTION MODE alert, please scan your computer with legitimate anti-malware applications listed below. You can read more about this infection here: Avast ENHANCED PROTECTION MODE. Good luck and be safe online!


Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Share this information with other people:

Microsoft Defender ENHANCED PROTECTION MODE

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"Microsoft Defender ENHANCED PROTECTION MODE" is a fake security alert and it has nothing to do with the legitimate Microsoft Windows Defender. It doesn't even have such protection mode, so this security alert is obviously fake and hides the presence of the malware in the system. If you've got this fake security alert then your computer is infected by a Trojan Horse.


Microsoft Defender
ENHANCED PROTECTION MODE
Attention!
Microsoft Defender operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
The Trojan horse displays this fake Microsoft Defender update notification too.



The fake security alert runs from (command line): C:\WINDOWS\update.tray-15-0-lnk\svchost.exe tray 15-0 1

In order to remove the Trojan that causes the fake Microsoft Defender ENHANCED PROTECTION MODE alert, please scan your computer with legitimate anti-malware applications listed below. You can read more about this infection here: Avast ENHANCED PROTECTION MODE. Good luck and be safe online!


Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Share this information with other people:

Microsoft Security Essentials ENHANCED PROTECTION MODE

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"Microsoft Security Essentials ENHANCED PROTECTION MODE" is a fake security alert which clearly indicates that your computer is infected with malicious software. It's designed to trick you into thinking that your computer is protected against malicious software. Microsoft Security Essentials doesn't have such protection mode, so this security alert is obviously fake and hides the presence of the malware in the system. If you've got this fake security alert then your computer is infected by a Trojan Horse.


Microsoft Security Essentials
ENHANCED PROTECTION MODE
Attention!
Microsoft Security Essentials operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
The Trojan horse displays this fake Microsoft Security Essentials update notification too.



In order to remove the Trojan that causes the fake Microsoft Security Essentials ENHANCED PROTECTION MODE alert, please scan your computer with legitimate anti-malware applications listed below. You can read more about this infection here: Avast ENHANCED PROTECTION MODE. Good luck and be safe online!


Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Share this information with other people:

McAfee ENHANCED PROTECTION MODE

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"McAfee ENHANCED PROTECTION MODE" is a fake security warning designed to trick you into thinking that your computer is protected against malware. McAfee anti-virus doesn't have such protection mode, so this security alert is obviously fake and hides the presence of the malware in the system. If you've got this fake security alert then your computer is infected by a Trojan Horse.


McAfee
ENHANCED PROTECTION MODE
Attention!
McAfee operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
The Trojan horse displays this fake McAfee update notification too.



The fake security alert runs from (command line): C:\WINDOWS\update.tray-9-0-lnk\svchost.exe tray 9-0 1

In order to remove the Trojan that causes the fake McAfee ENHANCED PROTECTION MODE alert, please scan your computer with legitimate anti-malware applications listed below. You can read more about this infection here: Avast ENHANCED PROTECTION MODE. Good luck and be safe online!


Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Share this information with other people:

Dr.Web ENHANCED PROTECTION MODE

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"Dr.Web ENHANCED PROTECTION MODE" is a misleading security warning designed to trick you into thinking that your computer is protected against malware when in reality Trojan horse downloads and installs addition malcode on your computer. Dr.Web anti-virus doesn't have such protection mode, so this security alert is obviously fake. If you've got this fake security alert then your computer is infected by a Trojan Horse.


Dr.Web
ENHANCED PROTECTION MODE
Attention!
Dr.Web operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
The Trojan horse displays this fake Dr.Web update notification too.



The fake security alert runs from (command line): C:\WINDOWS\update.tray-11-0-lnk\svchost.exe tray 11-0 1

In order to remove the Trojan that causes the fake Dr.Web ENHANCED PROTECTION MODE alert, please scan your computer with legitimate anti-malware applications listed below. You can read more about this infection here: Avast ENHANCED PROTECTION MODE. Good luck and be safe online!


Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Share this information with other people:

Comodo ENHANCED PROTECTION MODE

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"Comodo ENHANCED PROTECTION MODE" is a fake security alert designed to trick you into thinking that your computer is protected and hide presence of malware. Comodo anti-virus doesn't have such protection mode. If you've got this fake security alert then your computer is infected by a Trojan Horse.


Comodo
ENHANCED PROTECTION MODE
Attention!
Comodo operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
The Trojan horse displays this fake Comodo update notification too.



The fake security alert runs from (command line): C:\WINDOWS\update.tray-5-0-lnk\svchost.exe tray 5-0 1

In order to remove the Trojan that causes the fake Comodo ENHANCED PROTECTION MODE alert, please scan your computer with legitimate anti-malware applications listed below. You can read more about this infection here: Avast ENHANCED PROTECTION MODE. Good luck and be safe online!


Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Share this information with other people:

Avira AntiVir ENHANCED PROTECTION MODE

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"Avira AntiVir ENHANCED PROTECTION MODE" is a fake security alert, Avira AntiVir doesn't have such protection mode. If you've got this fake security alert then your computer is infected by a Trojan Horse. It displays this fake security alert and restricts access to the legitimate Avira AntiVir security software to make you think that your computer is protected against malware when in reality it's not.


Avira AntiVir
ENHANCED PROTECTION MODE
Attention!
Avira AntiVir operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
The Trojan horse displays fake Avira AntiVir update notification.



In order to remove the Trojan that causes the fake Avira AntiVir ENHANCED PROTECTION MODE alert, please scan your computer with legitimate anti-malware applications listed below. You can read more about this infection here: Avast ENHANCED PROTECTION MODE. Good luck and be safe online!


Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Share this information with other people:

Tuesday, July 26, 2011

Remove "Avast ENHANCED PROTECTION MODE" Trojan (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"Avast ENHANCED PROTECTION MODE" is a fake security alert that gives a false sense of security, the legitimate Avast! anti-virus doesn't have such protection mode. If you've got this fake security alert then your computer is infected by a Trojan horse. Cyber crooks use various methods, including social engineering, to distribute malicious software. Malicious links began to spread on Facebook and through MSN Messenger. Here's an example of the chat conversation snippet:

[friend]: hi, how are you?
[you]: hey
[friend]: Wanna laugh?
[you]: sure
[friend]: It is you on the video? )) want to see?)
[you]: ???
[friend]: [malicious domain]



The malicious link usually has the following structure http://[domain]/FacebookUserID and it redirects users to fake Youtube websites. In order to watch the video the user has to install the latest version of Flash player, Flash-Player.exe. Obviously, it's not a legitimate Flash player but a Trojan horse. Once executed, it returns the following error:



While running, it downloads and installs additional components on your computer. "Avast ENHANCED PROTECTION MODE" Trojan uninstalls or blocks your anti-virus application, created new shortcuts and displays the following security alert:
Avast
ENHANCED PROTECTION MODE
Attention!
Avast operates under enhanced
protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.


Here's how the legitimate Avast! virus notification looks like:



As you can see, the Trojan horse clearly want to trick you into thinking that your computer is protected and that you shouldn't take any actions to remove the virus which actually does not even exists. The Trojan also displays fake Avast update notification in the bottom right hand corner of your computer screen.



The legitimate Avast! update notification looks entirely different. If you have the "Avast ENHANCED PROTECTION MODE" Trojan on your computer, please follow the removal instructions below to remove it from your computer. Obviously, you won't be able to use your anti-virus software, so you will have to use other malware removal tools listed below. If you have any questions or need help remove this malicious software from your computer, please leave a comment below. Good luck and be safe online!

Update: the Trojan blocks other anti-virus software too and displays the same security alerts.

"Avast ENHANCED PROTECTION MODE" Trojan removal instructions:

Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Associated "Avast ENHANCED PROTECTION MODE" files and registry values:

Files:
  • C:\WINDOWS\btc_client_iplist.txt
  • C:\WINDOWS\ddh_iplist.txt
  • C:\WINDOWS\front_ip_list.txt
  • C:\WINDOWS\geoiplist
  • C:\WINDOWS\geoiplist.rar
  • C:\WINDOWS\iecheck_iplist.txt
  • C:\WINDOWS\info1
  • C:\WINDOWS\iplist.txt
  • C:\WINDOWS\l1rezerv.exe
  • C:\WINDOWS\phoenix
  • C:\WINDOWS\phoenix.rar
  • C:\WINDOWS\proc_list1.log
  • C:\WINDOWS\rpcminer
  • C:\WINDOWS\rpcminer.rar
  • C:\WINDOWS\services32.exe
  • C:\WINDOWS\sysdriver32.exe
  • C:\WINDOWS\sysdriver32_.exe
  • C:\WINDOWS\systemup.exe
  • C:\WINDOWS\ufa
  • C:\WINDOWS\ufa.rar
  • C:\WINDOWS\unrar.exe
  • C:\WINDOWS\update.1
  • C:\WINDOWS\update.2
  • C:\WINDOWS\update.5.0
  • %Temp%\[SET OF RANDOM CHARACTERS].exe
Share this information with other people:

Remove "Your codec version is too old" (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"Your codec version is too old" is a fake error message designed to trick you into thinking that the video cannot be played because you either do not have the latest version of codecs or the video format is not supported.
Your codec version is too old
This video format is not supported




Usually, right after this fake error message gets displayed, another one appears in the bottom right hand corner telling you to update the video codec.
Video error
This video cannot be played due to old version of
your codecs


If you choose to update the codec, it will give you the payment page, asking you to purchase the bogus Home Codec pack and video converter suite.



"Your codec version is too old" payment page:



The Trojans displaying this fake "Your codec version is too old" are being distributed in pretty much the same way as rogue security products, i.e., through the use of fake online virus scanners, infected websites and social engineering. Cyber crooks have probably decided to mix up things a little. Besides, rogue codec packs are nothing new.

It's worth mentioning that you shouldn't install every codec pack available; otherwise you may end up with such scareware on your computer. By default, Windows Media Player supports all popular video and audio file formats, however video and audio content can be compressed with a wide variety of codecs and if the appropriate codecs are not installed on your computer, you won't be able to play the video file. In such case, you should install only legitimate and known codec pack: DivX, Cinepak, Indeo and some others. Or you can use VLC multimedia player for various audio and video formats. If you have any questions or suggestions, please leave a comment below. Good luck and be safe online!


"Your codec version is too old" removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

2. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated "Your codec version is too old" files and registry values:

Files:

Windows XP
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\All Users\Application Data\ip\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\All Users\Application Data\ip\FRed32.dll
  • C:\Documents and Settings\All Users\Application Data\ip\instr.ini
  • C:\Documents and Settings\All Users\Application Data\ip\SmartGeare.exe
  • C:\Documents and Settings\All Users\Application Data\ip\spoof.avi
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].nls
Windows Vista/7
  • C:\ProgramData\[SET OF RANDOM CHARACTERS].exe
  • C:\ProgramData\ip\[SET OF RANDOM CHARACTERS].exe
  • C:\ProgramData\ip\FRed32.dll
  • C:\ProgramData\ip\instr.ini
  • C:\ProgramData\ip\SmartGeare.exe
  • C:\ProgramData\ip\spoof.avi
  • C:\WINDOWS\system32\[SET OF RANDOM CHARACTERS].nls
Share this information with other people:

Friday, July 22, 2011

How to Remove Total Protect (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Total Protect is a fake antivirus program that generate misleading pop-up warnings, reports non-existent security threats on your computer and attempts to trick you in to buying software to remove viruses and other malicious software. This rogue anti-virus product can also slow your computer's performance significantly and block legitimate programs or Windows tools. There are literally hundreds of fake AVs on the Internet meant to scare people into installing additional malware on their computers and giving their credit card numbers to cyber criminals. Total Protect is made to look like Microsoft Security Essentials, but it's not legitimate. If your computer does become infected by this fake anti-virus program, please scan your computer with anti-malware software. To remove Total Protect from the computer, please follow the removal instructions below.



Total Protect - Professional Antivirus Solution typically appears when you visit a fake online virus scanner or infected website. However, scam artists use social engineering to trick users into installing malicious software as well. If you have stumbled onto a fake security scanner or fake pop-up alert saying that your computer is infected – don't click anything and close your web browsers. Unfortunately, cyber criminals also use drive-by downloads and software exploits to install Total Protect malware and other viruses on the computer even without user's knowledge and consent. That's why you should always enable your anti-virus software and keep it up to date and active.

Fake Total Protect security alerts:


The official website of this rogue antivirus software is totalprotectav.com. It's a mixed up website, some parts are clearly taken from legitimate antivirus vendors' websites. For example, they use Bit Defender logo and they also claim that Kaspersky, Panda, Avira and some others are their partners. That's a complete lie.



Important: never enter your credit card or personal information into a program like Total Protect. If you have already bought this rogue anti-virus program, please contact your credit card company and dispute the charges. Then do a full scan with an up-to-date reputable antivirus software. Coming across such fake antivirus software as Total Protect can be scary, but it actually can't delete your files or spy on your computer unless it comes bundled with other malware but it's really uncommon. If your computer is infected with Total Protect, please follow the steps in the removal guide below to remove it from your computer. If you have any questions or need help removing this fraudware, please leave a comment below. Good luck and be safe online!


Total Protect removal instructions:

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Total Protect files and registry values:

Files:

Windows XP
  • C:\Documents and Settings\[UserName]\Application Data\RtlDriver32.exe
Windows Vista/7
  • C:\Users\[UserName]\AppData\Roaming\RtlDriver32.exe
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

Wednesday, July 20, 2011

How to Remove Zentom System Guard (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Zentom System Guard is a rogue anti-virus program that tries to trick users into paying for the program to remove fictitious virus threats. It's a re-branded version of Antimalware Doctor. The rogue application claims that it has detected viruses on your computer. It displays fake security warnings to scare you into thinking that your computer is infected with malicious software. Do not, under any circumstances, pay for such bogus software. This type of malicious software is very annoying and we totally understand how how frustrating it can be. However, it's worth mentioning that it can't delete your files so you shouldn't worry about that. If you think or confirm that your computer is infected with this fake anti-virus application, scan your computer with legitimate anti-malware software. To remove Zentom System Guard from your computer, please follow the steps in the removal guide below.



Zentom System Guard video:


There are a number of ways that Zentom System Guard gets on your computer, but usually users have no clue as to how they got it. The problem is that rogue security software can appear on your computer without a warning but most of the time cyber crooks use social engineering to trick you into installing their malicious software. For example, this time cyber crooks use fake pop-up window called "System Security Pack Upgrade" that looks just like the legitimate Automatic Windows update screen to trick you into installing Zentom System Guard.

System Security Pack 2010.78.932 (Zentom System Guard Upgrade; KB921472)


Cyber crooks cal also use fake online virus scanners, drive-by-downloads fake codecs and other social engineering tricks. Once installed, Zentom System Guard completes a fake system scan and reports numerous non-existent infections on your computer. Here are some of the fake security alerts you may see when your computer gets infected with Zentom System Guard.


Zentom System Guard - Hacker attack detected
Your computer is subjected to hacker attack. Zentom System Guard has detected that somebody is trying to transfer Your private data via internet. We strongly recommend you to block attack immediately.

Protection Center Alert
To help protect your computer, Zentom System Guard has blocked some features of this program Zentom System Guard has detected unauthorized activity, but unfortunately trial version cannot remove viruses, keyloggers and other treats. Your personal data under serious risk. It is strongly recommended to register Your copy of Zentom System Guard and prevent intrusion for future.
Do You want to block this suspicious software?
Name: Trojan.Win32.Autoit.agg
Alert level: High
Description: It is highly recommended to remove this threat from your PC
If you have accidentally purchased this rogue antivirus program, please contact your credit card company and dispute the charges. The please follow the removal instructions below to remove Zentom System Guard and associated malware from your computer. If you have any questions or need help removing this malware, please leave a comment below. Good luck and be safe online!

Additionally, you can activate the rogue program by entering this registration code MTk4-NzE1-NTYx-NTUw as shown in the image below.



Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.


Zentom System Guard removal instructions:

1. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download STOPzilla. Once finished, go back into Normal Mode and run it. That's It!

Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Associated Zentom System Guard files and registry values:

Files:



Windows XP
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]\lsrslt.ini
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]\local.ini
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]\hookdll.dll
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]\enemies-names.txt
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\Zentom System Guard\
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\Startup\Zentom System Guard.lnk
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\Zentom System Guard\Uninstall.lnk
  • C:\Documents and Settings\[UserName]\Start Menu\Programs\Zentom System Guard\Zentom System Guard.lnk
  • C:\Documents and Settings\[UserName]\Desktop\Zentom System Guard.lnk
Windows Vista/7
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS]
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS]\lsrslt.ini
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS]\local.ini
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS]\hookdll.dll
  • C:\Users\[UserName]\AppData\Roaming\[SET OF RANDOM CHARACTERS]\enemies-names.txt
  • C:\Users\[UserName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zentom System Guard\
  • C:\Users\[UserName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zentom System Guard.lnk
  • C:\Users\[UserName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zentom System Guard\Uninstall.lnk
  • C:\Users\[UserName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zentom System Guard\Zentom System Guard.lnk
  • C:\Users\[UserName]\Desktop\Zentom System Guard.lnk
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zentom System Guard
  • HKEY_CURRENT_USER\Software\ZentomSystemGuard
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
Share this information with other people:

Tuesday, July 19, 2011

Remove www5.antimalware-lab.com (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
www5.antimalware-lab.com is a misleading website related to scareware called Anti-Malware Lab. It provides a variety of misleading reviews, awards, comparisons and other information about rogue anti-virus software. www5.antimalware-lab.com is also a payment page of the rogue AV product. If you are being redirected to that website then your computer is probably infected with Anti-Malware Lab scarware or a Trojan horse that advertises this rogue AV. Anyway, you should run legitimate anti-malware software and remove malware from your computer. For more information, please read how to remove Anti-Malware Lab. Good luck and be safe online!

Here's a screen shot of what www5.antimalware-lab.com looks like:


Share the knowledge:

Sunday, July 17, 2011

Remove Jucheck.exe Trojan (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Jucheck.exe is the Java update verification process which notifies users about new updates available for the Java software installed on your computer. Unfortunately, it's not uncommon for malicious software authors to use well known and legit file names to confuse users and in some cases to avoid detection. We previously wrote about a Trojan horse masquerading as msiexec.exe. There's also an IRC backdoor Trojan which uses another legitimate file name jusched.exe to trick users into running malicious code on their computers. So, how do you determine whether it's a virus or a legitimate application?

First of all, you should verify that the file is digitally signed and verified by the distributor of software. Jucheck.exe should be digitally signed by Sun Microsystems, Inc., but if the publisher is Unknown then it's probably some kind of malware.

Secondly, you should verify the file location. Legitimate Java software updater runs from C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe. This part \jre1.6.0_01\ may vary depending on the version of the Java software installed on your computer. Malicious software usually runs from Windows temporary folder (%Temp%) or Windows system folder (%Windir%). If the jucheck.exe runs from C:\Users\AppData\Local\Temp\jucheck.exe folder or from C:\Windows\jucheck.exe then you shouldn't allow it to run.

Finally, you can upload the suspicious file to VirusTotal, Jotti or VirScan to determine whether it's malicious or not. If the file is infected, you should get similar results: http://file.virscan.org/report/f1c42499897ee70aaa40cc4f1619571c.html

If you got the User Account Control (UAC) message about jucheck.exe from Unknown publisher asking you to make changes to your computer, please click No and scan your computer with legitimate anti-malware software.



Download recommended anti-malware software and run a full system scan to remove this Trojan from your computer.





NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you need help removing the jucheck.exe malware, please a comment below. Good luck and be safe online!

Saturday, July 16, 2011

How to Remove BlueFlare Antivirus (Uninstall Guide)

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
We have been receiving complaints about a program called BlueFlare Antivirus for a couple of days. From what we've heard about this application, is rogue anti-virus software. It displays misleading security alerts and false scan results in an effort to convince users into paying for a full version of the program. It may configure web browsers to use a proxy server and blocks system utilities, according to the system logs received from our readers. BlueFlare Anti-virus runs from %Application Data% folder. Unfortunately, we couldn't find a sample of this application or anything else related to BlueFlare Antivirus and it certainly raises our suspicion of fraud. If you are experiencing BlueFlare Antivirus pop-ups or security center alerts about this program, please scan your computer with legitimate anti-malware software. We are currently investigating this threat and will provide more information as it becomes available.

Update, 1:55 a.m. PDT, 23/07: BlueFlare Antivirus is indeed a rogue anti-virus application. To remove this fraudware, please follow the removal instructions below. Good luck and be safe online!



Fake BlueFlare Antivirus security alerts:


Security warning:
The file C:\WINDOWS\regedit.exe is infected.
Running of application is impossible.


Additionally, you can activate the rogue program by entering this registration code: DB038748-B4659586-4A1071AF-32E768CD-36005B1B-F4520642-3000BF2A-04FC910B. Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.


BlueFlare Antivirus removal instructions:

1. Go to StartRun or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad". Notepad will come up.


3. Copy all the text in blue color below and paste into Notepad.

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

4. Save file as regfix.reg to your Desktop. NOTE: (Save as type: All files)


regfix.reg is available for download here, in case you can't make your own or it doesn't work.

5. Double-click on regfix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated BlueFlare Antivirus files and registry values:

Files:

Windows XP:
  • C:\Documents and Settings\[UserName]\Application Data\BlueFlare Antivirus\BlueFlare Antivirus.exe
Windows Vista/7:
  • C:\Users\[UserName]\AppData\Roaming\BlueFlare Antivirus\BlueFlare Antivirus.exe
Registry values:
  • HKEY_LOCAL_MACHINE\Software\AWM Antivirus\BlueFlare Antivirus
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\BlueFlare Antivirus
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "BlueFlare Antivirus.exe"
Share this information with other people:

Friday, July 15, 2011

What Is Cloud Computing? Defining the Cloud

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
The term of “cloud computing” is rather new, although it has been nearly a decade since cloud computing services were first used. The fact is that only few years ago the potential of this area was realized and suitable name found by IT specialists. Nevertheless this expression still says nothing for a decent user. The easiest way to understand the essence of this powerful conception is to explain both of the words separately. For a long time, the word “cloud” has been used as the synonym of Internet, especially in flowcharts or diagrams. Meanwhile, the word “computing” is usually associated with all kind of activities on computer. By coupling these two terms together we get a cloud computing, which, according to previous explanations, stands for computing through internet and is very close to actual meaning.

In general, the essence of cloud computing is the way of keeping information. In traditional computing, we store all data and programs on our PCs and normally we can access them only through the same computer unless you allow remote access. Whereas in cloud computing all necessary data and programs are stored in the service provider’s information centre and thereof they can be accessed from any PC with an Internet connection. In many cases you don’t even have to download and install any applications to your computer, because they are already in the “cloud”.



The illustration of cloud computing

At this point it is very important to understand the differences between classic client-service model and cloud computing as these concepts may look similar to someone. There are three distinct characteristics which should be discussed in this case: elasticity, flexibility and maintenance. For example, when you buy a traditional web hosting service, all the details are defined in advance: the amount of space for your website bandwidth size, the number of databases you are able to configure and so on. However, when you order a similar service from the “cloud”, you can use as much or as little space and resources as you need at that moment – it is elastic. Moreover, you pay only for the actual consumption of services (it is like on demand self-service) and you don’t have to care neither about maintenance nor about tools for using it – the service is fully managed by the provider. All you need is computer with sufficient Internet connection.

In addition, the cloud computing model is broadly divided into two deployment models (private or public) and three service models: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).
A private cloud supplies hosted services to particular organization or limited number of people and can be managed by them or a third party. A public cloud is available to anyone on the Internet or a large industry group and is owned by a service provider (for example, Amazon Web Services). Sometimes, when an organization, which sells cloud services, creates its own private cloud from public cloud resources, the result is called a virtual private cloud. However, despite of the deployment model, the goal of cloud computing is still the same – to ensure convenient and secure access to massive computing resources and endless scalability.

Infrastructure-as-a-Service (IaaS), as the name implies, provides infrastructure or actual servers and storage to a buyer. This means that consumers are able to use as much capacity as they need, however the responsibility for installing operating system and all the required applications should be taken by themselves. One of the best examples of this cloud model is Amazon Web Services (AWS), which allows accessing and configuring their virtual servers and storage. IaaS supports the PaaS and SaaS layers. This provides a high degree of autonomy but increases complexity.

Platform-as-a-Service (PaaS) provides the same services like Infrastructure-as-a-Service (IaaS), but in addition installs the platforms on top of the hardware and takes care of maintaining them. Please note that the main difference between IaaS and PaaS is the amount of control over the system available to users of the services. IaaS provides total control, PaaS typically provides no control. This enables consumers to create or acquire applications by using software and product development tools over the Internet. However, it should be taken into account, that question of standards for interoperability or data portability in the cloud is still open, and therefore some cloud service providers may not allow moving created software out of his platform. The examples of PaaS are GoogleApps and Force.com.

Software-as-a-Service (SaaS) is similar to Platform-as-a-Service (PaaS), but has even more limitations. SaaS provides access to various kinds of software managed by vendor and interacts with the consumer though a front-end portal. Of course, the software may intern according to the company needs or activities and can be reached from anywhere in the world simply by Internet. For this reason, SaaS is a very broad market with many capabilities. Some of the best known examples of SaaS are Web-based emails (Gmail, Yahoo Mail, Hotmail, etc.) and Google Docs.

Although these three service models of cloud computing, which were described above, are still relevant, some experts presumes that very soon everything will be offered as a single package with the possibility to choose what end-user really needs. Whether these predictions will come true or not, one thing can be said for sure – a cloud computing will play more and more important role in meeting the needs of organizations and private customers.

 
//PART 2