remove malware with malwarebytes

Remove Malware with Malwarebytes Free

I am the resident computer guy.  So I get lots of requests to fix computers.  It is now so easy to remove most malware that I am really surprised people still ask me.  Here is how I remove malware on most systems.

Step 1.  Download the Trial Version of malwarebytes

You can get the trial version for 30-days.  It is great software so I encourage you to buy it – https://www.malwarebytes.com/  Download the free trial on your desktop or somewhere you can easily find it.

Step 2.  Restart your system in “Safe Mode”

Once malwarebytes is downloaded on your system, restart the computer and hit the “F8” key to over and over until you are given the option to boot the system in a different state. Select “Safe Mode”

Step 3.  Install Malwarebytes

Double click Malwarebytes, and follow the instructions.

Step 4. Start Malwarebytes

How long this takes depends on how much data Malwarebytes has to go through and how fast you system is.  Some things will take more than normal antimalware software.  Rootkits for example, are a little harder to get rid of.  For these, I have found it helpful to google the errors, warning banners and symptoms you are seeing to find someone else who had the same issue and fixed it.  Some are so bad you will have to search for an answer on a separate system.

Good luck to you.

CVS ExtraCare Card

Scam – Attn: Your CVS ExtraCare Card Has Been Updated – Must Confirm

This email contains a link to a possible malware site:

 

CVS Extra Care Rewards Program
DATE: 1/12/16

IMPORTANT MESSAGE FOR CVS CARD HOLDER: YOUR EMAIL

Your CVS Extra Care Savings & Rewards Card Has Been Updated.

To be sure you keep all of your points that you’ve accumulated over the years shopping at CVS (both market and pharmacy), you must visit the link below to start using your new rewards.

Link REMOVED – Goes to possible malware site
**Reward #3833 will expire on 1/16/16. Don’t Forget!

VirusTotal:

URL Scanner Result
Sucuri SiteCheck Malicious site
ParetoLogic Malware site

Notice to Appear – Court Order – malware

Malware detected

Dear NAMEUSER,

You have to appear in the Court on the April 14.  You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.  Note: The case will be heard by the judge in your absence if you do not come.

You can review complete details of the Court Notice in the attachment.

Regards,
Hugh Buckley,
Clerk of Court.

State Court <hugh.buckley@ns89.websitewelcome.com>

SHA256: 8889fcc7dca37f2cc23d7f664605578583f4fbfe102435c1cb58fbe9ce60e5fe
File name: Court_Notification_00000677743.zip
Detection ratio: 12 / 57
Analysis date: 2015-04-11 18:05:09 UTC ( 0 minutes ago )
Antivirus Result Update
Microsoft TrojanDownloader:JS/Nemucod.P 20150411
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm 20150411
AVware Malware.JS.Generic (JS) 20150411
VIPRE Malware.JS.Generic (JS) 20150411
Avast JS:Decode-CAP [Trj] 20150411
ESET-NOD32 JS/TrojanDownloader.Nemucod.AF 20150411
Fortinet JS/Nemucod.AF!tr 20150411
Sophos JS/DwnLdr-MKJ 20150411
McAfee JS/Downloader.gen.d 20150411
McAfee-GW-Edition JS/Downloader.gen.d 20150411
Kaspersky HEUR:Trojan.Script.Generic 20150411
Comodo Heur.Dual.Extensions 20150411
ALYac 20150411
AVG 20150411
Ad-Aware 20150411
AegisLab 20150411
Agnitum 20150409
AhnLab-V3 20150411
Alibaba 20150411
Antiy-AVL 20150411
notice of court scam

Reporting mail fraud: Notice of appearance in Court #00000443455

Reporting mail fraud: Notice of appearance in Court #00000443455

If you receive this email, Do NOT open the attachment.

Notice of Appearance in Court – email malware with attachment: Court_Notification_00000443455.zip

DO NOT OPEN the Attachment!

This attachment has the following malware:

Antivirus Result Update
AVware Malware.JS.Generic (JS) 20150405
CAT-QuickHeal JS.Downloader.B 20150404
Comodo Heur.Dual.Extensions 20150404
ESET-NOD32 JS/TrojanDownloader.Nemucod.AF 20150404
Fortinet JS/Nemucod.AF!tr 20150405
Kaspersky Trojan-Downloader.JS.Agent.hdu 20150405
McAfee JS/Downloader.gen.d 20150405
McAfee-GW-Edition JS/Downloader.gen.d 20150404
Microsoft TrojanDownloader:JS/Nemucod.P 20150405
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm 20150404
Sophos Troj/JSDldr-AU 20150405
VIPRE Malware.JS.Generic (JS) 20150405

 

Dear UserName,

This is to inform you to appear in the Court on the April 02 for your case hearing.
Please, do not forget to bring all the documents related to the case.
Note: If you do not come, the case will be heard in your absence.

The copy of Court Notice is attached to this email.

Sincerely,
Alberto Crabtree,
Court Secretary.

lloyds message service

lloyds message service – debit posted.zip (malware)

If you got lloyds message service – debit posted in an email then its a virus.  This .zip is malware verified by VirusTotal.com

lloyds message service

courtesy of tranquilnet

Subject: You have received a new debit

This is an automatically generated email by the Lloyds TSB PLC

LloydsLink online payments Service to inform you that you have

receive a NEW Payment.

The details of the payment are attached.

This e-mail (including any attachments) is private and confidential

and may contain privileged material. If you have received this

 

Scan From VirusTotal:

Antivirus

Result

Update

Ad-Aware

20131211

Agnitum

20131217

AhnLab-V3

Trojan/Win32.Dapato

20131218

AntiVir

20131218

Antiy-AVL

20131218

Avast

Win32:Malware-gen

20131218

AVG

20131218

Baidu-International

20131213

BitDefender

20131211

Bkav

20131218

ByteHero

20130613

CAT-QuickHeal

20131218

ClamAV

20131218

CMC

20131217

Commtouch

W32/Trojan.CIRP-9141

20131218

Comodo

20131218

DrWeb

20131218

Emsisoft

20131218

ESET-NOD32

Win32/TrojanDownloader.Waski.A

20131218

F-Prot

W32/Trojan3.GVD

20131218

F-Secure

Trojan.Agent.BBBY

20131218

Fortinet

20131218

GData

Trojan.Agent.BBBY

20131218

Ikarus

Trojan-Spy.Agent

20131218

Jiangmin

20131218

K7AntiVirus

20131218

K7GW

20131218

Kaspersky

Trojan.Win32.Bublik.boha

20131218

Kingsoft

20130829

Malwarebytes

Trojan.Agent.RV

20131218

McAfee

20131218

McAfee-GW-Edition

20131218

Microsoft

20131218

MicroWorld-eScan

20131218

NANO-Antivirus

20131218

Norman

20131218

nProtect

20131218

Panda

20131218

Rising

PE:Malware.FakePDF@CV!1.9E18

20131218

Sophos

Troj/Zbot-HEQ

20131218

SUPERAntiSpyware

20131218

Symantec

20131218

TheHacker

20131217

TotalDefense

20131217

TrendMicro

20131218

TrendMicro-HouseCall

TROJ_GEN.F47V1218

20131218

VBA32

20131218

VIPRE

20131218

ViRobot

20131218

What is Autorun.inf?

What is AutoRun.inf?
What exactly is an autorun.inf? Is it a virus or just a file that needed by other application in our computer to run? Have you ever gotten alerted by your system anti-virus application that autorun.inf was detected as a threat to your computer?

AutoRun.inf is a primary instruction file associated with Autorun function. Autorun.inf is just a simple text-based configuration file that tells the operating system which executable to start or which icon to use. In other words, Autorun.inf simply tells the operating system how to deal on the programs or executable files and how the operating will treat the contents of a CD or any removable disks that is plug to your computer.

Autorun.inf is not a malware, but a virus might use autorun.inf to get access to your computer programs and files. Common virus like bacalid, ravmon.exe and even Trojan virus hides in autorun.inf to easily spread to your computer. These viruses save themselves in the root directory of the infected hard disks and will run themselves every time you double click the drive. Usually if a USB stick or a CD was infected by a virus, once it was plugged to your computer the device automatically runs itself especially with the device where autorun was enabled.

If autorun.inf was detected by your anti-virus as a threat to your computer but not yet tried to make an action then here are some tips to remove autorun.inf which are infected by virus.

You can disable autorun.inf for all drives by configuring the registry of your computer. First you need to open the registry by typing regedit.exe to the command prompt or you may execute it in run. Then look for this registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can create it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe.

Another procedure to disable or delete autorun.inf that has been infected by virus is by using the command prompt, type cd\ then press enter. You may type the letter of your USB drive or CD drive, for example F: then press enter. Type this attrib h r s autorun.inf then press enter, type del autorun.inf.Thats the easiest way to avoid spreading virus from your computer especially using sutorun.inf. If you have any questions, you can comment on this post, thank you!

Star Trek Based Anti-Virus: Klingon Anti-Virus (KAV)

Sophos put out a Star Trek Based Anti-Virus. Pure genius. The downloads for it are off the charts. Its free. Its fun and its increbibly smart marketing. Like many brilliant ideas it was an accident. Well, it was put out as an accident. But I for one am glad it was.

The Star Trek movie was awesome by the way! Great move for a franchise that deserves a larger commercial audience. I’m anxious for more movies and shows.

Osama Hanged (virus)

*verified with snopes.com and about anti-virus*

Emails with pictures of Osama Bin-Laden hanged are being sent and the
moment that you open these emails your computer will crash and you
will not be able to fix it!

1.) If you get an e-mail along the lines of ‘Osama Bin Laden Captured’
or ‘Osama Hanged’ , don’t open the Attachment!!!!

This e-mail is being distributed through countries around the globe,
but mainly in the US and Israel.

Be considerate & send this warning to whomever you know..

PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS.

2.) You should be alert during the next few days:

Do not open any message with an attached file called ‘Invitation’
regardless of who sent it.

It is a virus that opens an Olympic Torch which ‘burns’ the whole hard
disc C of your computer!!!!

This virus will be received from someone who has your e-mail address
in his/her contact list, that is why you should send this E-Mail to all
your contacts.

It is better to receive this message 25 times than to receive the virus
and open it.

If you receive e-mail called ‘invitation’, though sent by a friend. Do
not open it!!! Shut down your computer immediately!!!!

This is the worst virus announced by CNN, it has been classified by
Microsoft as the most destructive virus ever.

This virus was discovered by McAfee yesterday, and there is no repair
yet for this kind of virus.

This virus simply destroys the Zero Sector of the Hard Disc, where the
vital information is kept.

Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002

That which does not kill us makes us stronger.
-Friedrich Nietzsche

In the November 2002, Information Security Magazine article, Infosec’s Worst NightMares, Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002. Mr. Skoudis is the founders of Intelguardians Network Intelligence, LLC and is a handler of the very popular Internet Storm Center.

Mr. Skoudis mentions that the Top five major destructive attacks of 1998 – 2002 made many industries “battle-tested” and more likely to be proactive rather than reactive. The 5 year Worst Skoudis list is based on exploits that shook our very faith in the Internet and security of e-commerce.

1. Code Red (2001). July 13 2001, the worm attacked Microsoft IIS systems. By 19 July 2001, the worm had affected over 350,000 systems. SANS and Honeynet Project set up honey pots to capture the worm. But E-eye Digital Security Programmers did the most intense research on the worm and also named it. The worm exploited a vulnerability in the indexing software distributed with IIS, described in Microsoft’s MS01-033 patch. It was a buffer overflow attack. Some of the lessons learned: Keep systems patched, use of honey pots to capture malware, coordinated response helps to contain worms.

2. Nimda (2001). Shortly after 9/11, the Nimda worm was unleashed. It caused more damage financially than Code Red. There were rumors that it was China that released it to hurt the US further, but this is unlikely due to the nature of Nimda.

While it was bad, it had the appearance of a being written by a determined amateur, not a nation-state that spends $1 Billion annually on cyberwarfare capabilities. – Skoudis.

Nimda affected Windows 95, 98, Me, NT, or 2000 and servers running Windows NT and 2000. It was so affective because it attacked IIS, e-mail, browsers and network shares. This multi dimensional attack method could mark a trend in future cyberfare.

Lessons Learned: The importance of an incident response capability, disabling arbitrary scripts in e-mail and browsers.

3. Melissa (1999) & LoveLetter (2000). Both of these exploited malware through e-mail propagation. Melissa used Microsoft Word Macro virus and LoveLetter (I Love You Virus). The worm harvested the victims address book to forward itself to more victims which killed a lot of email servers. Lessons Learned: Many companies got serious about implementing anti-virus applications throughout the network.

4. Distributed Denial-of-Service (DdoS) attacks (2000)
. After all the panic of pre-Y2K, a completely new and unexpected storm hit major sites: Yahoo!, Amazon, CNN, E*Trade ZDNet and eBay. All by a single child hacker nicked named Mafiaboy. He had spread zombie flooding agents to hundreds of machines around the world and used them to attack sites with billions of useless packets. Lessons Learned: employ anti-spoofing filters.

5. Remote Control Trojan Horse Backdoors (1998 – 2000)
. In 1998, the Cult of the Dead Cow hackers group created the Trojan, Back Orifice which initially targeted Windows NT/9x. The tool allowed unskilled attackers to attack any vulnerable system. It also marked the rise of the “script kiddies” and produced a bunch of spin offs such as Subseven, Netbus and Hack-a-Tack.

Malware Alarm

A friend of mine wanted me to do some work on her computer, but when I fired up the computer all I saw was Malware Alarm.

The computer was really slow and essentially un-usable. Malware alarm, I noticed, looks a lot like the scamware PS Guard and SpySheriff. These are applications that pretend to be anti-virus, anti-spam software that actually infect your system with spyware, mass-mailers, and backdoors into your system. This type of the malware is known as a trojan. As usual any attempts to shut this application down or minimized it are useless because even if you do manage to get anything else up, it will eat up so much system resources (CPU, memory, bandwidth) that the computer itself is close to useless. It you delete it in normal mode and miss a part of it, it will regenerate itself like a hydra.

After looking at the Task Manager (which took 20 minutes or so), I decided to reboot in “safe mode”. Unless your system has something like a Rootkit (malware that replaces the main component of your operating system) Safe Mode only turns what is needed and nothing else. I used system restore to remove Malware Alarm. And Spybot Search and destroy/Adaware to remove everything else.

System Restore should be used first because it is easiest and does require any additional software.

1) Reboot in Safe mode: Restart system, hit F8, select “Safe Mode”

2) Proceed in Safemode: When prompted (as in the picture above) Select “NO”

3) Restore Wizard: Select a date prior to when you recieved the malware (system restore does not delete newly downloaded files, only new changes in the registry)

1 2 3 4