Elamb Cybersecurity

Category: Malware

  • Remove Malware with Malwarebytes Free

    I am the resident computer guy.  So I get lots of requests to fix computers.  It is now so easy to remove most malware that I am really surprised people still ask me.  Here is how I remove malware on most systems.

    Step 1.  Download the Trial Version of malwarebytes

    You can get the trial version for 30-days.  It is great software so I encourage you to buy it - https://www.malwarebytes.com/  Download the free trial on your desktop or somewhere you can easily find it.

    Step 2.  Restart your system in “Safe Mode”

    Once malwarebytes is downloaded on your system, restart the computer and hit the “F8” key to over and over until you are given the option to boot the system in a different state. Select “Safe Mode”

    Step 3.  Install Malwarebytes

    Double click Malwarebytes, and follow the instructions.

    Step 4. Start Malwarebytes

    How long this takes depends on how much data Malwarebytes has to go through and how fast you system is.  Some things will take more than normal antimalware software.  Rootkits for example, are a little harder to get rid of.  For these, I have found it helpful to google the errors, warning banners and symptoms you are seeing to find someone else who had the same issue and fixed it.  Some are so bad you will have to search for an answer on a separate system.

    Good luck to you.

  • Warning fake google chrome update

    **Sent from a subscriber**

    I was surfing the Internet and I found following bad link: http://www.1zoom.net/ Cities /wallpaper/306150/z904/

    internet-fraud

    As I was trying to move my cursor to get out of the site, another tab popped up saying that I must update my google chrome.  I closed it.  internet-fraud-2

    I tried opening the tabs once more with the website to confirm if my suspicion was right.  It led me to another tab that was asking me to download a software in my toolbar.  I have not taken the screenshot on that one.  I went back to my computer history to search for that specific link and it was not there anymore.  A warning of a virus appeared in my screen. That is really scary. Always be cautious and careful while browsing online.

    internet-fraud-4

  • Notice to Appear – Court Order – malware

    Malware detected

    Dear NAMEUSER,

    You have to appear in the Court on the April 14.  You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.  Note: The case will be heard by the judge in your absence if you do not come.

    You can review complete details of the Court Notice in the attachment.

    Regards,
    Hugh Buckley,
    Clerk of Court.

    State Court <hugh.buckley@ns89.websitewelcome.com>

    SHA256: 8889fcc7dca37f2cc23d7f664605578583f4fbfe102435c1cb58fbe9ce60e5fe
    File name: Court_Notification_00000677743.zip
    Detection ratio: 12 / 57
    Analysis date: 2015-04-11 18:05:09 UTC ( 0 minutes ago )
    Antivirus Result Update
    Microsoft TrojanDownloader:JS/Nemucod.P 20150411
    NANO-Antivirus Trojan.Script.Heuristic-js.iacgm 20150411
    AVware Malware.JS.Generic (JS) 20150411
    VIPRE Malware.JS.Generic (JS) 20150411
    Avast JS:Decode-CAP [Trj] 20150411
    ESET-NOD32 JS/TrojanDownloader.Nemucod.AF 20150411
    Fortinet JS/Nemucod.AF!tr 20150411
    Sophos JS/DwnLdr-MKJ 20150411
    McAfee JS/Downloader.gen.d 20150411
    McAfee-GW-Edition JS/Downloader.gen.d 20150411
    Kaspersky HEUR:Trojan.Script.Generic 20150411
    Comodo Heur.Dual.Extensions 20150411
    ALYac 20150411
    AVG 20150411
    Ad-Aware 20150411
    AegisLab 20150411
    Agnitum 20150409
    AhnLab-V3 20150411
    Alibaba 20150411
    Antiy-AVL 20150411

  • County Court – Malware

    I have been getting a lot of these “County Court” notifications.  They usually have an infected attachment with them.  If you open the attachment, your system gets infected with all kinds of stuff.

    County Court <brad.marks@stats.buzz.arvixevps.com>
    courtesy of techcrunch.com
    courtesy of techcrunch.com

    Dear user,

    This is to inform you to appear in the Court on the April 24 for your case hearing.
    Please, prepare all the documents relating to the case and bring them to Court on the specified date.
    Note: If you do not come, the case will be heard in your absence.

    The copy of Court Notice is attached to this email.

    Regards,
    Brad Marks,
    District Clerk.

  • Unable to deliver your item, #00000620676 online fraud

    More online fraud.  Here is a fake fedex email that attempts to deliver you an attachment with malware.  If you get the email do NOT open the attachment and do NOT respond.

    FedEx International Ground <clifford.barron@cio.posluh.hr>

    Dear UserName,

    Your parcel has arrived at March 14. Courier was unable to deliver the parcel to you.
    You can review complete details of your order in the find attached.

    Yours trully,
    Clifford Barron,
    FedEx Station Agent.

    The attachment has the following malware:

    Antivirus Result Update
    Microsoft TrojanDownloader:JS/Nemucod.P 20150405
    NANO-Antivirus Trojan.Script.Heuristic-js.iacgm 20150405
    Kaspersky Trojan-Downloader.JS.Agent.hdu 20150405
    Sophos Troj/Dloadr-DXL 20150405
    AVware Malware.JS.Generic (JS) 20150405
    VIPRE Malware.JS.Generic (JS) 20150405
    Emsisoft JS:Trojan.Crypt.NI (B) 20150405
    ALYac JS:Trojan.Crypt.NI 20150405
    Ad-Aware JS:Trojan.Crypt.NI 20150405
    BitDefender JS:Trojan.Crypt.NI 20150405
    F-Secure JS:Trojan.Crypt.NI 20150405
    GData JS:Trojan.Crypt.NI 20150405
    MicroWorld-eScan JS:Trojan.Crypt.NI 20150405
    nProtect JS:Trojan.Crypt.NI 20150404
    Avast JS:Decode-CAC [Trj] 20150405
    ESET-NOD32 JS/TrojanDownloader.Nemucod.AF 20150405
    Fortinet JS/Nemucod.AF!tr 20150405
    McAfee JS/Downloader.gen.d 20150405
    McAfee-GW-Edition JS/Downloader.gen.d 20150405
    CAT-QuickHeal JS.Downloader.B 20150404
    Comodo Heur.Dual.Extensions 20150405
    AVG FakeAlert 20150405

  • Reporting mail fraud: Notice of appearance in Court #00000443455

    Reporting mail fraud: Notice of appearance in Court #00000443455

    If you receive this email, Do NOT open the attachment.

    Notice of Appearance in Court – email malware with attachment: Court_Notification_00000443455.zip

    DO NOT OPEN the Attachment!

    This attachment has the following malware:

    Antivirus Result Update
    AVware Malware.JS.Generic (JS) 20150405
    CAT-QuickHeal JS.Downloader.B 20150404
    Comodo Heur.Dual.Extensions 20150404
    ESET-NOD32 JS/TrojanDownloader.Nemucod.AF 20150404
    Fortinet JS/Nemucod.AF!tr 20150405
    Kaspersky Trojan-Downloader.JS.Agent.hdu 20150405
    McAfee JS/Downloader.gen.d 20150405
    McAfee-GW-Edition JS/Downloader.gen.d 20150404
    Microsoft TrojanDownloader:JS/Nemucod.P 20150405
    NANO-Antivirus Trojan.Script.Heuristic-js.iacgm 20150404
    Sophos Troj/JSDldr-AU 20150405
    VIPRE Malware.JS.Generic (JS) 20150405

     

    Dear UserName,

    This is to inform you to appear in the Court on the April 02 for your case hearing.
    Please, do not forget to bring all the documents related to the case.
    Note: If you do not come, the case will be heard in your absence.

    The copy of Court Notice is attached to this email.

    Sincerely,
    Alberto Crabtree,
    Court Secretary.

  • Joydownload Virus

    Be careful when you download new software.  Download from the actual creator of the software as much as possible.  Avoid getting software from bittorrents.  If you do, at least look at the comments of the bittorrent you plan on downloading.

    Search engines such as google are great for finding software, but not always the safest.  Its best to get software directly from the organization that created not random sites.

    For example, at one time “Joydownload. com” was among the top results for the “Yahoo Messenger”   and other apps.  But this site may have trojans in it.

    Joydownload is a known malware distributions site:

    • http://safeweb.norton.com/reviews?url=joydownload.com
    • http://www.scumware.org/report/www.joydownload.com.html

    Joydownload scan From VirusTotal:

    URL Scanner Result
    Avira Malware site
    Emsisoft Malware site
    Fortinet Malware site
    G-Data Malware site
    Sophos Malicious site

     

  • lloyds message service – debit posted.zip (malware)

    If you got lloyds message service – debit posted in an email then its a virus.  This .zip is malware verified by VirusTotal.com

    lloyds message service
    courtesy of tranquilnet

    Subject: You have received a new debit

    This is an automatically generated email by the Lloyds TSB PLC

    LloydsLink online payments Service to inform you that you have

    receive a NEW Payment.

    The details of the payment are attached.

    This e-mail (including any attachments) is private and confidential

    and may contain privileged material. If you have received this

     

    Scan From VirusTotal:

    Antivirus

    Result

    Update

    Ad-Aware

    20131211

    Agnitum

    20131217

    AhnLab-V3

    Trojan/Win32.Dapato

    20131218

    AntiVir

    20131218

    Antiy-AVL

    20131218

    Avast

    Win32:Malware-gen

    20131218

    AVG

    20131218

    Baidu-International

    20131213

    BitDefender

    20131211

    Bkav

    20131218

    ByteHero

    20130613

    CAT-QuickHeal

    20131218

    ClamAV

    20131218

    CMC

    20131217

    Commtouch

    W32/Trojan.CIRP-9141

    20131218

    Comodo

    20131218

    DrWeb

    20131218

    Emsisoft

    20131218

    ESET-NOD32

    Win32/TrojanDownloader.Waski.A

    20131218

    F-Prot

    W32/Trojan3.GVD

    20131218

    F-Secure

    Trojan.Agent.BBBY

    20131218

    Fortinet

    20131218

    GData

    Trojan.Agent.BBBY

    20131218

    Ikarus

    Trojan-Spy.Agent

    20131218

    Jiangmin

    20131218

    K7AntiVirus

    20131218

    K7GW

    20131218

    Kaspersky

    Trojan.Win32.Bublik.boha

    20131218

    Kingsoft

    20130829

    Malwarebytes

    Trojan.Agent.RV

    20131218

    McAfee

    20131218

    McAfee-GW-Edition

    20131218

    Microsoft

    20131218

    MicroWorld-eScan

    20131218

    NANO-Antivirus

    20131218

    Norman

    20131218

    nProtect

    20131218

    Panda

    20131218

    Rising

    PE:Malware.FakePDF@CV!1.9E18

    20131218

    Sophos

    Troj/Zbot-HEQ

    20131218

    SUPERAntiSpyware

    20131218

    Symantec

    20131218

    TheHacker

    20131217

    TotalDefense

    20131217

    TrendMicro

    20131218

    TrendMicro-HouseCall

    TROJ_GEN.F47V1218

    20131218

    VBA32

    20131218

    VIPRE

    20131218

    ViRobot

    20131218

  • What is Autorun.inf?

    What is AutoRun.inf?
    What exactly is an autorun.inf? Is it a virus or just a file that needed by other application in our computer to run? Have you ever gotten alerted by your system anti-virus application that autorun.inf was detected as a threat to your computer?

    AutoRun.inf is a primary instruction file associated with Autorun function. Autorun.inf is just a simple text-based configuration file that tells the operating system which executable to start or which icon to use. In other words, Autorun.inf simply tells the operating system how to deal on the programs or executable files and how the operating will treat the contents of a CD or any removable disks that is plug to your computer.

    Autorun.inf is not a malware, but a virus might use autorun.inf to get access to your computer programs and files. Common virus like bacalid, ravmon.exe and even Trojan virus hides in autorun.inf to easily spread to your computer. These viruses save themselves in the root directory of the infected hard disks and will run themselves every time you double click the drive. Usually if a USB stick or a CD was infected by a virus, once it was plugged to your computer the device automatically runs itself especially with the device where autorun was enabled.

    If autorun.inf was detected by your anti-virus as a threat to your computer but not yet tried to make an action then here are some tips to remove autorun.inf which are infected by virus.

    You can disable autorun.inf for all drives by configuring the registry of your computer. First you need to open the registry by typing regedit.exe to the command prompt or you may execute it in run. Then look for this registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can create it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe.

    Another procedure to disable or delete autorun.inf that has been infected by virus is by using the command prompt, type cd\ then press enter. You may type the letter of your USB drive or CD drive, for example F: then press enter. Type this attrib –h –r –s autorun.inf then press enter, type del autorun.inf.That’s the easiest way to avoid spreading virus from your computer especially using sutorun.inf. If you have any questions, you can comment on this post, thank you!

  • Star Trek Based Anti-Virus: Klingon Anti-Virus (KAV)

    Sophos put out a Star Trek Based Anti-Virus. Pure genius. The downloads for it are off the charts. Its free. Its fun and its increbibly smart marketing. Like many brilliant ideas it was an accident. Well, it was put out as an accident. But I for one am glad it was.

    The Star Trek movie was awesome by the way! Great move for a franchise that deserves a larger commercial audience. I’m anxious for more movies and shows.