Elamb Cybersecurity

Category: Malware/Malware Removal

  • Remove Malware with Malwarebytes Free

    I am the resident computer guy.  So I get lots of requests to fix computers.  It is now so easy to remove most malware that I am really surprised people still ask me.  Here is how I remove malware on most systems.

    Step 1.  Download the Trial Version of malwarebytes

    You can get the trial version for 30-days.  It is great software so I encourage you to buy it - https://www.malwarebytes.com/  Download the free trial on your desktop or somewhere you can easily find it.

    Step 2.  Restart your system in “Safe Mode”

    Once malwarebytes is downloaded on your system, restart the computer and hit the “F8” key to over and over until you are given the option to boot the system in a different state. Select “Safe Mode”

    Step 3.  Install Malwarebytes

    Double click Malwarebytes, and follow the instructions.

    Step 4. Start Malwarebytes

    How long this takes depends on how much data Malwarebytes has to go through and how fast you system is.  Some things will take more than normal antimalware software.  Rootkits for example, are a little harder to get rid of.  For these, I have found it helpful to google the errors, warning banners and symptoms you are seeing to find someone else who had the same issue and fixed it.  Some are so bad you will have to search for an answer on a separate system.

    Good luck to you.

  • Scam – Attn: Your CVS ExtraCare Card Has Been Updated – Must Confirm

    This email contains a link to a possible malware site:

     

    CVS Extra Care Rewards Program
    DATE: 1/12/16

    IMPORTANT MESSAGE FOR CVS CARD HOLDER: YOUR EMAIL

    Your CVS Extra Care Savings & Rewards Card Has Been Updated.

    To be sure you keep all of your points that you’ve accumulated over the years shopping at CVS (both market and pharmacy), you must visit the link below to start using your new rewards.

    Link REMOVED – Goes to possible malware site
    **Reward #3833 will expire on 1/16/16. Don’t Forget!

    VirusTotal:

    URL Scanner Result
    Sucuri SiteCheck Malicious site
    ParetoLogic Malware site

  • Notice to Appear – Court Order – malware

    Malware detected

    Dear NAMEUSER,

    You have to appear in the Court on the April 14.  You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.  Note: The case will be heard by the judge in your absence if you do not come.

    You can review complete details of the Court Notice in the attachment.

    Regards,
    Hugh Buckley,
    Clerk of Court.

    State Court <hugh.buckley@ns89.websitewelcome.com>

    SHA256: 8889fcc7dca37f2cc23d7f664605578583f4fbfe102435c1cb58fbe9ce60e5fe
    File name: Court_Notification_00000677743.zip
    Detection ratio: 12 / 57
    Analysis date: 2015-04-11 18:05:09 UTC ( 0 minutes ago )
    Antivirus Result Update
    Microsoft TrojanDownloader:JS/Nemucod.P 20150411
    NANO-Antivirus Trojan.Script.Heuristic-js.iacgm 20150411
    AVware Malware.JS.Generic (JS) 20150411
    VIPRE Malware.JS.Generic (JS) 20150411
    Avast JS:Decode-CAP [Trj] 20150411
    ESET-NOD32 JS/TrojanDownloader.Nemucod.AF 20150411
    Fortinet JS/Nemucod.AF!tr 20150411
    Sophos JS/DwnLdr-MKJ 20150411
    McAfee JS/Downloader.gen.d 20150411
    McAfee-GW-Edition JS/Downloader.gen.d 20150411
    Kaspersky HEUR:Trojan.Script.Generic 20150411
    Comodo Heur.Dual.Extensions 20150411
    ALYac 20150411
    AVG 20150411
    Ad-Aware 20150411
    AegisLab 20150411
    Agnitum 20150409
    AhnLab-V3 20150411
    Alibaba 20150411
    Antiy-AVL 20150411

  • lloyds message service – debit posted.zip (malware)

    If you got lloyds message service – debit posted in an email then its a virus.  This .zip is malware verified by VirusTotal.com

    lloyds message service
    courtesy of tranquilnet

    Subject: You have received a new debit

    This is an automatically generated email by the Lloyds TSB PLC

    LloydsLink online payments Service to inform you that you have

    receive a NEW Payment.

    The details of the payment are attached.

    This e-mail (including any attachments) is private and confidential

    and may contain privileged material. If you have received this

     

    Scan From VirusTotal:

    Antivirus

    Result

    Update

    Ad-Aware

    20131211

    Agnitum

    20131217

    AhnLab-V3

    Trojan/Win32.Dapato

    20131218

    AntiVir

    20131218

    Antiy-AVL

    20131218

    Avast

    Win32:Malware-gen

    20131218

    AVG

    20131218

    Baidu-International

    20131213

    BitDefender

    20131211

    Bkav

    20131218

    ByteHero

    20130613

    CAT-QuickHeal

    20131218

    ClamAV

    20131218

    CMC

    20131217

    Commtouch

    W32/Trojan.CIRP-9141

    20131218

    Comodo

    20131218

    DrWeb

    20131218

    Emsisoft

    20131218

    ESET-NOD32

    Win32/TrojanDownloader.Waski.A

    20131218

    F-Prot

    W32/Trojan3.GVD

    20131218

    F-Secure

    Trojan.Agent.BBBY

    20131218

    Fortinet

    20131218

    GData

    Trojan.Agent.BBBY

    20131218

    Ikarus

    Trojan-Spy.Agent

    20131218

    Jiangmin

    20131218

    K7AntiVirus

    20131218

    K7GW

    20131218

    Kaspersky

    Trojan.Win32.Bublik.boha

    20131218

    Kingsoft

    20130829

    Malwarebytes

    Trojan.Agent.RV

    20131218

    McAfee

    20131218

    McAfee-GW-Edition

    20131218

    Microsoft

    20131218

    MicroWorld-eScan

    20131218

    NANO-Antivirus

    20131218

    Norman

    20131218

    nProtect

    20131218

    Panda

    20131218

    Rising

    PE:Malware.FakePDF@CV!1.9E18

    20131218

    Sophos

    Troj/Zbot-HEQ

    20131218

    SUPERAntiSpyware

    20131218

    Symantec

    20131218

    TheHacker

    20131217

    TotalDefense

    20131217

    TrendMicro

    20131218

    TrendMicro-HouseCall

    TROJ_GEN.F47V1218

    20131218

    VBA32

    20131218

    VIPRE

    20131218

    ViRobot

    20131218

  • What is Autorun.inf?

    What is AutoRun.inf?
    What exactly is an autorun.inf? Is it a virus or just a file that needed by other application in our computer to run? Have you ever gotten alerted by your system anti-virus application that autorun.inf was detected as a threat to your computer?

    AutoRun.inf is a primary instruction file associated with Autorun function. Autorun.inf is just a simple text-based configuration file that tells the operating system which executable to start or which icon to use. In other words, Autorun.inf simply tells the operating system how to deal on the programs or executable files and how the operating will treat the contents of a CD or any removable disks that is plug to your computer.

    Autorun.inf is not a malware, but a virus might use autorun.inf to get access to your computer programs and files. Common virus like bacalid, ravmon.exe and even Trojan virus hides in autorun.inf to easily spread to your computer. These viruses save themselves in the root directory of the infected hard disks and will run themselves every time you double click the drive. Usually if a USB stick or a CD was infected by a virus, once it was plugged to your computer the device automatically runs itself especially with the device where autorun was enabled.

    If autorun.inf was detected by your anti-virus as a threat to your computer but not yet tried to make an action then here are some tips to remove autorun.inf which are infected by virus.

    You can disable autorun.inf for all drives by configuring the registry of your computer. First you need to open the registry by typing regedit.exe to the command prompt or you may execute it in run. Then look for this registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can create it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe.

    Another procedure to disable or delete autorun.inf that has been infected by virus is by using the command prompt, type cd\ then press enter. You may type the letter of your USB drive or CD drive, for example F: then press enter. Type this attrib –h –r –s autorun.inf then press enter, type del autorun.inf.That’s the easiest way to avoid spreading virus from your computer especially using sutorun.inf. If you have any questions, you can comment on this post, thank you!

  • Star Trek Based Anti-Virus: Klingon Anti-Virus (KAV)

    Sophos put out a Star Trek Based Anti-Virus. Pure genius. The downloads for it are off the charts. Its free. Its fun and its increbibly smart marketing. Like many brilliant ideas it was an accident. Well, it was put out as an accident. But I for one am glad it was.

    The Star Trek movie was awesome by the way! Great move for a franchise that deserves a larger commercial audience. I’m anxious for more movies and shows.

  • derad: Malicious “Security Warning” Popups

    Here is some good quick advice from my fellow blogger Debra Radcliff:

    Panda Security reports increased spread and success of popup “security warnings.” These warnings popup when people surf the Web and hit a malicious or infected Website, and keep flashing their warnings until the user goes to the link, at which time they get infected.

    No legitimate security company would do this to a computer, so don’t click the link. Instead, disconnect from the Internet, clear your browser history and restart your computer. If your browser is still flashing warnings, the system will need to be disinfected through anti-virus or a computer restoration service.

    Usually these false security warnings are a symptom of something much worse. I’ve had some that will actually not allow you to do much of anything but click on the link in their fake pop-up. What I did was a system restore, but you can also boot in Safe mode and attempt to clean the system.

  • Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002

    That which does not kill us makes us stronger.
    -Friedrich Nietzsche

    In the November 2002, Information Security Magazine article, Infosec’s Worst NightMares, Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002. Mr. Skoudis is the founders of Intelguardians Network Intelligence, LLC and is a handler of the very popular Internet Storm Center.

    Mr. Skoudis mentions that the Top five major destructive attacks of 1998 – 2002 made many industries “battle-tested” and more likely to be proactive rather than reactive. The 5 year Worst Skoudis list is based on exploits that shook our very faith in the Internet and security of e-commerce.

    1. Code Red (2001). July 13 2001, the worm attacked Microsoft IIS systems. By 19 July 2001, the worm had affected over 350,000 systems. SANS and Honeynet Project set up honey pots to capture the worm. But E-eye Digital Security Programmers did the most intense research on the worm and also named it. The worm exploited a vulnerability in the indexing software distributed with IIS, described in Microsoft’s MS01-033 patch. It was a buffer overflow attack. Some of the lessons learned: Keep systems patched, use of honey pots to capture malware, coordinated response helps to contain worms.

    2. Nimda (2001). Shortly after 9/11, the Nimda worm was unleashed. It caused more damage financially than Code Red. There were rumors that it was China that released it to hurt the US further, but this is unlikely due to the nature of Nimda.

    While it was bad, it had the appearance of a being written by a determined amateur, not a nation-state that spends $1 Billion annually on cyberwarfare capabilities. – Skoudis.

    Nimda affected Windows 95, 98, Me, NT, or 2000 and servers running Windows NT and 2000. It was so affective because it attacked IIS, e-mail, browsers and network shares. This multi dimensional attack method could mark a trend in future cyberfare.

    Lessons Learned: The importance of an incident response capability, disabling arbitrary scripts in e-mail and browsers.

    3. Melissa (1999) & LoveLetter (2000). Both of these exploited malware through e-mail propagation. Melissa used Microsoft Word Macro virus and LoveLetter (I Love You Virus). The worm harvested the victims address book to forward itself to more victims which killed a lot of email servers. Lessons Learned: Many companies got serious about implementing anti-virus applications throughout the network.

    4. Distributed Denial-of-Service (DdoS) attacks (2000)    . After all the panic of pre-Y2K, a completely new and unexpected storm hit major sites: Yahoo!, Amazon, CNN, E*Trade ZDNet and eBay. All by a single child hacker nicked named Mafiaboy. He had spread zombie flooding agents to hundreds of machines around the world and used them to attack sites with billions of useless packets. Lessons Learned: employ anti-spoofing filters.

    5. Remote Control Trojan Horse Backdoors (1998 – 2000)    . In 1998, the Cult of the Dead Cow hackers group created the Trojan, Back Orifice which initially targeted Windows NT/9x. The tool allowed unskilled attackers to attack any vulnerable system. It also marked the rise of the “script kiddies” and produced a bunch of spin offs such as Subseven, Netbus and Hack-a-Tack.

  • Malware Alarm

    A friend of mine wanted me to do some work on her computer, but when I fired up the computer all I saw was Malware Alarm.

    The computer was really slow and essentially un-usable. Malware alarm, I noticed, looks a lot like the scamware PS Guard and SpySheriff. These are applications that pretend to be anti-virus, anti-spam software that actually infect your system with spyware, mass-mailers, and backdoors into your system. This type of the malware is known as a trojan. As usual any attempts to shut this application down or minimized it are useless because even if you do manage to get anything else up, it will eat up so much system resources (CPU, memory, bandwidth) that the computer itself is close to useless. It you delete it in normal mode and miss a part of it, it will regenerate itself like a hydra.

    After looking at the Task Manager (which took 20 minutes or so), I decided to reboot in “safe mode”. Unless your system has something like a Rootkit (malware that replaces the main component of your operating system) Safe Mode only turns what is needed and nothing else. I used system restore to remove Malware Alarm. And Spybot Search and destroy/Adaware to remove everything else.

    System Restore should be used first because it is easiest and does require any additional software.

    1) Reboot in Safe mode: Restart system, hit F8, select “Safe Mode”

    2) Proceed in Safemode: When prompted (as in the picture above) Select “NO”

    3) Restore Wizard: Select a date prior to when you recieved the malware (system restore does not delete newly downloaded files, only new changes in the registry)

  • What is W32 Myzor?

    malwareW32 Myzor is a part of a family of “Scamware”. These are trojans that pose as anti-virus/anti-spyware appliations that actually install malware on to your computer (viruses, worms, mass emailers). They attempt to gather your personal information and scare you into purchasing some shitty malicious software (no offense to adds running on this site).

    W32.Myzor.FK@yf virus. The warning are fake. Your system probably is infected but it is infected because a myzor variant put it there. The balloon about “You computer is infected”, is not real.

    go to the following for more:

    w32 myzor
    w32 myzor fk
    w32 myzor fk yf