Malware / Virus Removal

Download This Article as a .PDF

A Screen Popups and looks legitimate with a message like: “YOUR COMPUTER IS INFECTED!” sometimes changing the desktop color to play on your emotions. These programs all have legitimate-sounding names: “Security Tool,” “Internet Security 2010,” and “Fast Antivirus 2009.” and hundreds more. The pop-up windows guide you through the steps necessary to purchase the anti-malware product (usually costing $49.95, credit cards accepted), then scanning all the dozens or so (alleged) viruses from your PC. These programs use scare tactics to frighten people into buying the software. These scare tactics include:

* Fake system scans that report numerous infections and refuses to remove the supposed infections until you buy the phony software

* Alerts and warnings stating the PC is under attack or unprotected and recommends you buy the phony software

* Other software will not work, when attempting to open programs a warning stating the program is infected appears and the software is closed.

* Web browser hijacking, redirecting the user to malicious websites or showing false security warnings on sites like Google.com and facebook.

* You may get ads that promise to “delete viruses or spyware,” “protect privacy,” “improve computer function,” “remove harmful files,” or “clean your registry;” You may get “alerts” about “malicious software” or “illegal pornography on your computer;”

* You may be invited to download free software for a security scan or to improve your system

* You could get pop-ups that claim your security software is out-of-date and your computer is in immediate danger. You may suddenly encounter an unfamiliar website that claims to have performed a security scan and prompts you to download new software.
If you have bought one of these programs, you just been scammed. At best, you just bought a piece of “Malware” that does absolutely nothing except show alarming pop-up windows. (Spyware and Adware, etc are basically the same, they are unwanted programs and for this article I’ll use the term malware to cover all of them) At worst, your credit card number has been stolen and is for sale on the Internet black market. Some rogue programs install other programs that steal personal information from a PC, connect it to a botnet and leave it accessible to the scammer for other malicious uses.

Every 10 minutes cyber criminals alter their attack code, virus, worm, Trojan, and other zero-day malware, resulting in typical anti-virus/spyware software (signature-based like a vaccine) only stopping 29% of today’s attacks on average. Malware has reached epidemic proportions and is only getting worse.

Out of all computer code released onto the internet today, most appears to be of a malicious nature. According to Symantec sensors in 2008, the release rate of malware and other unwanted software may soon exceed that of legitimate applications. F-Secure follows this up by reporting that just as much malware was released in 2007 as in the past twenty years combined. As the outbreak of malicious software is likely to only get worse, it’s important to take every precaution when conducting activities on the internet. I have seen recent statistics indicating that approximately 95% of the world’s PCs are infected with spyware. Unfortunately, removal techniques that worked just a year ago are no longer effective in many cases.

Malware in its many forms poses one of the biggest threats to internet users today. Malicious software can be divided into a number of different categories and includes computer viruses, worms, Trojans and spyware among others. It has the ability to hijack your web browser, redirect your search engine attempts, bombard your screen with pop-up advertisements and even monitor your activity. Because malware is often poorly scripted, it may cause your computer to become terribly slow and unstable. If it is not removed immediately, this type of program can eventually cause your system to become inoperable.

Most malware programs will reinstall themselves even after you think they have been removed, some will have 10 or more copies scattered in the computer. They typically hide deep within the Windows registry, making them difficult to remove. When this occurs, your computer may become so unstable that installing a malware removal tool may be impossible.

Methods of Infection

Limewire and other P2P downloads programs are very common infection sources for malware. A lot of downloads are infected so if you use any program like this, I promise you will see malware in time.

Adult websites, free games (malware writers know kids and teens love to play games so even though the game is innocent, the code in the background might not be), even video being played from You Tube and MySpace can have hidden codex/scripts that redirects the browser to malware. Sometimes a website or video will say it needs a codex or a player to run it. Sometimes this is perfectly legit other times malicious.

Videos, mp3’s, even pictures can be “spiked” which means just by playing or viewing them can install a root kit which are hidden small programs that will download behind the scenes more programs such as malware. Email forwards with video or photos can be common “spiked” sources.

Google and Yahoo search results are redirected to ad / malicious sites are very common, many times they are caused by rootkits and can be time consuming to remove. Other forms of malware are installed from sites purporting as software providers. Most of them will attempt to convince you to download a removal tool, claiming that your system is infected when in fact the “Removal tool” is the malware itself.

Viruses and worms are mainly contracted via email, automatically launching themselves the moment you open an attachment. Some forms of malware can be installed from simply visiting an infected website, they call these drive-by downloads. Sometimes the owners of the website may have no idea that users are getting infected just by viewing there website.

Just being a user of Microsoft products makes you a prime target for malware. Outlook, Outlook Express, the Internet Explorer browser and Windows itself are known for having numerous security vulnerabilities, enabling malicious coders to penetrate a victim’s system and infect it with viruses, worms or spyware. Unfortunately, catching an infection is much easier than eradicating it, as some variations have the ability to propagate, spread the infection to other computers over a home network and claim complete control of your system. The people that write these programs focus on the majority and they know most people use Windows and Internet Explorer to surf the web and they write code to exploit that.

The Problem

it can take about 2 weeks for companies to catch new malware programs, reverse engineer them and then create the signature file (just like a vaccine) and then if your program doesn’t update automatically then it’s up to you to make sure its updated.

There is a tension between protection and usability, just like getting a car professionally detailed, as long as you don’t use it, the car remains clean. Or getting sick during the flu season, either live in a bubble or be active in the world but running the risk of catching something. Same with the computer. There is no way around it, you can limit your computer uses and stay safe but that defeats the purpose of a computer. Most anti-malware programs that exist are “passive” in that they remove the infection after you are infected. Active protection is hard to find as there is that time lapse that companies need to make the “vaccine” and malware isn’t a virus. In fact only 3% of today’s infections are traditional viruses and yet Norton and McAfee, the two biggest names that people have installed, do little to no protection against malware, root kits and such. Most clients of mine who have recurrent malware problems usually have one of those installed.

In addition Norton and McAfee are considered “Bloatware” they take over your computer and slow it down, very common for your system performance to suffer with these programs. There are cases where a user thinks it’s a virus slowing there computer or preventing them from getting online to find out that it’s really an expired copy of Norton or McAfee being the cause. If its expired, remove it, it might actually cause more problems if left alone.

Another problem is I nor programs can protect your computer from yourself. If you download software, install browser toolbars, use Limewire, Frostwire, etc, you are playing with fire and by opening files there is always a risk your computer will be infected in time. Adult websites are a breeding ground for malware as well as MySpace allows a user to run scripts which if malicious will infect you. Infections can happen as fast as a few seconds that can take an hour or more to remove properly.

How Not To Get Hooked by a “Phishing” Scam

This is very common way identity theft happens but it can also be another avenue for malware.

“We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”

“During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”

Have you received email with a similar message? It’s a scam called “phishing” — and it involves Internet fraudsters who send spam or pop-up messages to lure personal information (credit card numbers, bank account information, Social Security number, passwords, or other sensitive information) from unsuspecting victims.

What to Do

If you’re faced with any of the warning signs of malware or suspect a problem, shut down your browser. Don’t click “No” or “Cancel,” or even the “x” at the top right corner of the screen. Some ads used by malware are designed so that any of those buttons can activate the program. You can try Alt + F4 to close your browser or press Ctrl + Alt + Delete to open your Task Manager, and click “End Task.” on iexplorer.exe if you are using Internet Explorer If you use a Mac, press Command + Option + Q + Esc to “Force Quit.”

If you are infected, disconnect from the internet, most malware programs will use your internet connection to download more programs or send spam (mail bots) which will slow your computer and internet connection down.

The malware looks like professional software. How is the average home Internet user to tell the difference? For that matter, how is the average home Internet user to know if ANY anti-virus, anti-spyware or anti-anything product is real?

If you get an offer, check out the program by entering the name in a search engine. The results can help you determine if the program is on the up-and-up. If you get a ad saying you are infected and to download and install Malware Catcher 2009, first go to google and type in that name, if its malicious you will see the terms, remove or uninstall Malware Catcher 2009, if its legit software you will see downloads, maybe reviews but if you see the terms remove a lot then chances are it’s not a real program.

When getting emails,facebook or MySpace messages from friends but they have strange links inside such as http://www.opjfpjpwejfjdd.net/2jowjfoij or http://208.342.32.12/systemscan beware, most likely your friend didn’t send those but instead they are infected and the program on their computer sent out these messages to you in hopes you will trust the source. Be careful when clicking links as sometimes they are phishing. It can say http://www.paypal.com but when you place your mouse over it, it shows http:/292.423.12.121/paypal/ this is without a doubt a phishing scam so delete that message.

The Solution

This is where the news is luke-warm. Infections over time are not only annoying but frustrating when paying for a computer tech to remove them. Most of removing malware is knowledge that comes from removing it many times and researching the latest trends. Just like you can have the same tool as a doctor but what you pay for is the knowledge of what to do with those tools. In addition having the right tools is required but some of the best tools also carry a very real risk of ruining your computer if not done right.

A genuine anti-malware tool is the best way to detect and eliminate the wide range of threats this type of infection presents. These programs having a better chance of detecting harmful programs, your virus scanner may have missed.

I HIGHLY recommend that you don’t use Internet Explorer, it’s almost a guarantee that in time you will get infected. I use Firefox, it’s a free browser, ( http://www.firefox.com ) that doesn’t take long to get use too and its much safer, not perfect, but much better then Internet Explorer.

If you are already infected, I recommend these programs: *paid programs

Spybot Search and Destroy – http://www.safer-networking.org/en/download/index.html

Malware Bytes – http://www.malwarebytes.org/

* VIPRE – http://www.vipreantivirus.com/

Ccleaner isn’t really malware protection but it cleans up junk/temp files and cleans the registry which helps a lot when doing malware removal – http://www.ccleaner.com/

HiJackThis for the tough ones to remove but be careful, you can damage your computer too if not done right – http://free.antivirus.com/hijackthis/

Sometimes those programs won’t install and you might find that your Ctrl + Alt + Delete, run and safe mode are all inaccessible if the computer is heavily infected. In these cases you need a boot cd such as

Ultimate Boot CD -Win – http://www.ubcd4win.com/ (comes with many tools such as password recovery, registry cleaners, and many other)

Dr. Web Live Boot CD – http://www.freedrweb.com/livecd/ (used for patching viruses such as virut, the nasty virtumonde (Vundo) Trojan and bad cases of infections)

Using a boot cd can get complex as you have to know what a malware file looks like compared to a legitimate file, such as there is two files, one is real another is not, the only way to know is what folder it is located in.

If these programs above don’t fix the problem, it’s usually not worth the time to find the needle in the haystack so as a last resort I recommend backing up your data, formatting the computer and reinstalling windows, etc. In the long term, the computer will run faster, cleaner and its guaranteed to be clean of malware.

If you are not infected. *paid programs

* I recommend AVG Internet Security for protection against malware and viruses as it has active protection measures. – http://www.avg.com/us-en/homepage

or AVG Free Edition, its good basic protection for being free – http://free.avg.com/us-en/homepage

Spyware Blaster – http://www.javacoolsoftware.com/spywareblaster.html

* AppGuard http://www.blueridgenetworks.com/products/appguard.php

What I Am Paid To Do

I won’t hide behind a “trade secret” or keep this knowledge from you just so I can get paid to clean out your computer. I really do want you to have a clean computer, of course I like being paid but If you want to manually find malware programs and feel tech savvy or just want to know what I do, my method involves turning on “show hidden system files and folders” in “folder options” in the control panel. In “Windows Explorer: or “My Computer” change view to details and arrange by “date modified” as typically the files on near the top and the very bottom are malware files. (Not in all cases but in most) Look in each user profile for files that look like 054212246.exe, skjfhfhshs.exe, 41.exe, juiemhifsdf.dll (typically there are .exe and .dll files working together)

If you have Windows XP most malware will first infect

C:\Documents and Settings\Tabitha\Application Data

C:\Documents and Settings\Tabitha\Local Settings\Application Data

C:\Documents and Settings\Tabitha\Local Settings\Temp

In Vista and Windows 7

Its C:\Users\Tabitha\AppData\Local\ folder where Tabitha would be whatever user name you are

Do the same in the following folders

C:\Program Files

C:\WINDOWS

C:\WINDOWS\system32 (this is the jackpot for malware files but be careful what you delete you can also disable your windows too)

Lately more malware programs are tricking Windows into think it is a part of Windows and therefore Windows won’t let you delete the files, it will say file in use or access denied. The only way to delete these is to boot off a Windows CD and go to the recovery console and use DOS commands to delete the file but malware programs have been known to change the their file names each time the computer restarts. So in these cases you will need a Boot CD like the Ultimate Boot CD is awesome for this.

If you need an onsite cleaning of your malware infections, Contact me at my office phone at 615-469-1076 or call/ text my cell at 615-332-2844 and with my extensive knowledge and experience with removal I can get you back up and running. Typically it takes 1-2 hours to clean the infection and ensure that there are no “left overs” or copies hidden. Just cleaning the car, I can delete one pop-up program in 5 minutes sometimes but the real dirt is still there and a day later it returns because a copy was still on the computer hidden. So like a good detail service, it just takes time to make sure all.

Although I can guarantee that the computer is clean when I leave, I can’t warranty my work for more than a week due to all the possible methods one I can be infected. I hope with this informational sheet you will have a better insight of what this war is like with the malware cronies and at this moment in time they have the upper hand. It is possible to go infection free but it takes discernment and protection via anti-malware programs.

Additional Resources To View

http://www.spyware-fix.net

http://www.windowsecurity.com/articles/Spyware-Evolving.html

http://computer.howstuffworks.com/spyware.htm

http://www.stopbadware.org/

http://www.onguardonline.gov/

http://rogueantispyware.blogspot.com/

http://en.wikipedia.org/wiki/Spyware

Premium Wordpress Themes