Advertising what exactly in cleaning malware

There is a new anti-malware product that has been advertised on TV.

They claim this USB key has software on it that magically will vacuum malware, viruses and Trojans off your computer.

They also claim that it is used by government agencies, companies and IT professionals and they’ve been around for many years.

A screen showing a woman getting hit with many pop-up windows. A bit far-fetched as if you had that, your computer would be useless. [Note that the computer was running Windows XP.]

OK. So let’s take a look at some their facts.

The domain they use has been around for a bit over 3 years. How did those IT professionals know about it beforehand?

Me personally, up until a couple of months, I never heard of the product.

If it is used by governments and companies, why no listing of them on the web site. I see other companies boasting clients.

Viruses are out-dated. Mostly malware, some Trojans and rootkits.

While PC Magazine gave it 4 out of 5 stars it did say it may not be suitable for the typical [novice] user. In addition, according to their review the “cleanup process wiped out some essential Windows files, making remote assistance necessary. No realtime protection against new threats. Doesn’t clean up malware traces in the Registry.”

So basically it will scan files on the computer and nothing else and could cause further problems which will probably require further costs.

If you have to purchase a product like this, what does it says about:

  • Your current security product on your computer?
  • Yourself when it comes to know what to and what not to click on?

I know of many people who’ve gone years without any security issues and they would be classified as novices. [Yes, I try and keep them informed, but that doesn’t stop everything.]

If you keep on getting hit with security issues, maybe you should seriously stop and think before clicking on something.

Oh and this isn’t much new. Most security products have software which you can download and dump on a USB key or a DVD that will do the same or better than what is offered. [I am guessing most will actually go into the registry and not touch system files either.]

In an additional note, there has been many so-called security products that claim to fix these security issues. One advertised on CNN claimed to fix these problems. When I tested it on a fresh installation [security updates but no applications] of Windows XP a couple of years back, it claimed there was all kinds of registry and other issues. On a new computer? Seriously?

Major malware issue with recent Lenovo computers

If you are using or you know anyone using a Lenovo laptop bought within the last year, Lenovo has installed something called SuperFish. According to experts it is an encrypted form of adware. The software dumps ads and probably gathers personal information.

Until the situation is fixed, don’t use your Lenovo laptop for anything like using a bank web site or work related.

Uninstalling the software is not enough. You also need to remove a certificate.

Even that may not be enough.

If you have a Lenovo laptop, contact them for support…. And good luck.

[Updated: 2015/02/21]: After researchers went deeper into SuperFish this week, they found that it insert ads into random web pages and also tampers with computer security in such a way that an attacker could actually spy on all web browser traffic on the computer.

SuperFish allows attackers to see all the communications that’s supposed to be confidential such as banking transactions, passwords, emails, and instant messages.

[Updated: 2015/02/24]: The SuperFish CEO has denied that there software contains malware. Uh huh.

Meanwhile, researchers now saying at least 12 other products – including some used for parental control – are using the same developer’s kit.

Finally, Lenovo says it has created a package to properly remove SuperFish from the system.

When free isn’t so free

I had b?tched to DivX Networks in April how they could bundle Conduit malware [as most people call it] with their free DivX player. [Malwarebytes as well as other anti-malware software consider any from Conduit software to be malware.]

I finally got a response back from them – 3.5 months later. The guy who responded claimed there was an issue with their mail system. Got lost somewhere – so was claimed.

It seems that DivX received many complaints that the Conduit crapware was causing problems. It has since been removed from further installations and their new policy states that they will only bundle software that is beneficial [as was called by a product manager] and no search related software.

It’s bad enough if you use a single web browser, but if you have three browsers, you have a doozy of a job to remove the crapware off each web browser. [I guess a reason why you shouldn’t have too many browsers. One to use and a second one in case the first one has an issue with a web site.]

If there is a way to block out Conduit? I’m doubting it. In most cases, it is included in the free software you are installing.

This is what I tell people: If it is free, definitely do a custom installation. Otherwise crapware like this gets installed. One free software I downloaded had 4 separate installations if you chose a custom installation.

Know of any other software that have [or had] Conduit crapware included in the installation?

I have always suggested that when something is free off the Internet, always choose a custom installation [or equivalent]. Unlike the standard/complete installation [or whatever they may call it], in many cases the custom installation will actually allow you to see what is installing and what changes will be made during the installation [additional programs, changing the default home page in your browser, changing the default search engine in your browser, etc.].

Microsoft takes down malware pushing domain – affects legitimate sites

Recently, Microsoft seized 22 domain names from No-IP.com the company was aiming to put mostly [malware] criminals out of business; the domains were allegedly being used to conduct attacks against Windows users. Microsoft obtained a court order allowing it to seize control of the targeted domains. However, while some subdomains were allegedly being used in the attacks, the takedown also affected other servers that were used for legitimate reasons.

Some are questioning how Microsoft could request and get court approval to do this. As well, according to No-IP, Microsoft failed to notify them to take down the malicious domains.

Unsure if Microsoft has responded to the allegations that they never warned No-IP. But, I am sure No-IP were warned by others that they are hosting malware and did nothing about it [or didn’t push hard enough].

Microsoft did take things in their own hands. But No-IP should of known that it could happen to them, if not by Microsoft pressure then by some other company.

As for Microsoft pushing their muscle, I don’t think it was Microsoft’s job to verify the facts. It was the court who are responsible to make the final decision. Whether or not the court [before the approved take down] asked Microsoft if it would affect legitimate sites is a question that needed answered. This is like asking for a warrant to arrest a suspect. The judge reviews the evidence given and may request further information or not. [I’m assuming the court who gave the approval to Microsoft knows a bit about technology.]

I think it is also time that registrars should be partially responsible for what goes on with sites they have registered. Too many of them will register a site without caring. Why else would someone register the domains [if they still exist – don’t check!]: adobe-downloads.com, windowsenterprisedefender.com, and microsoftantispyware.net.

In the end, I’d be safe than sorry. Take down the domain. Those with legitimate sites can go after No-IP for knowing they are hosting suspicious web sites which could affect their site’s operation. [Of course I’m not a lawyer.]

[Update 2014/07/04:] Microsoft has since apologized to those legitimate sites that were affected for the “technical error”. Note that it took the court about a week to grant Microsoft’s request for the takeover. I am still thinking that the judge involved didn’t do his/her homework and see if it would affect others.

But according to reports, to did do some damage to the Syrian Electronic Army as well. According to Kaspersky Labs, the takedown impacted a quarter of the “advanced persistent threat” actors it’s been tracking.

The malware in this case was Bladabindi (NJrat) and Jenxcus (NJw0rm), which together predominantly used No-IP to generate over seven million infections in the past year.

Vitalwerks, which runs No-IP, said it now has 18 of 23 domains commandeered by Microsoft on Monday using a restraining order granted by the state’s federal court. I will assume these house the more legitimate sites.

Meanwhile, at one point No-IP that said it was under DDoS (distributed denial-of-service) attack but it did not affect its DNS infrastructure.

CryptoLocker ransomware becoming relevant

There is a new strain of malware called CryptoLocker that is making its rounds. Unlike your typical malware which causes havoc with systems, this one is part of the ransomware family.

Ransomware is just like what it sounds – it takes your computer hostage and the malware makers want money from you.

While some ransomware has been easy to correct – just reboot your computer – this strain is nasty.

Typically the file which does the work comes in the form of an Email [although you could get hit by going to a web site you shouldn’t be on]. So that the email passes anti-virus scanners, it is typically stored inside a ZIP compressed archive file.

Reports have it that they are coming from fake shipment or invoice notices from courier companies like FedEx or UPS.

Note: Some clues here – if you aren’t expecting anything or received anything, why would you get an Email from them? As well, if you look at the Email [but not the contents], why so little information about you?

The ransomware writers are still using the old double extension issue that still exist today in Windows. By default if you don’t do anything when you view a file, you will only see the file name [example: “My_Invoice”] instead of the full name “My_Invoice.pdf”. So the malware writers are sending the file “My_Invoice.pdf” but in reality it is “My_Invoice.pdf.exe” [programs would also fall under the above]. So you think it’s an Adobe PDF file when in fact it is a program.

Note: Another clue. If you are using Windows Vista or later, you would get a warning that what you just opened is trying to modify your computer. Adobe PDFs don’t modify your computer.

Once the program starts up, you may not initially see anything difference until after hours, if your computer stays on all day and night. Then the program comes alive and encrypts every kind of data files. This includes Adobe PDF files, Microsoft Word files, Microsoft Excel files, Microsoft PowerPoint files, Microsoft Outlook PST files, JPG images, BMP images, etc. In fact, there are a few dozen file types it encrypts.

Once encrypted, it should also place a text file or two in each folder saying what it did as well as when you boot up the computer.

You may see the following image [or similar to it]. If you do, then your system is infected with the ransomware.
crypt

Rebooting the computer doesn’t help. In fact, if any files that were open when it was encrypting were in use [and couldn’t be encrypted], they will be encrypted after rebooting the computer.

You will notice that when it encrypts the file, the file name itself hasn’t changed. But if you try to open a file, Windows will respond that the file is corrupt or something similar.

There is no way to unencrypt the files [and there are just too many to do anyways].

The ransomware writers will ask for anywhere between $100 and $1000 to be paid. You also need to pay by the date and time mentioned or the “key” to decrypt will be destroyed forever. They generally give you 72 hours from the time the files were encrypted.

If you pay the ransom, it doesn’t mean they will actually give you the key to decrypt. It is a gamble.

An up to date anti-virus software will at least detect the malware. Anti-malware software can clean the software, but even if the software cleans the malware, it can’t decrypt the files. In fact, if you remove the malware, you probably can’t decrypt the ransomware.

The only sure things to do is to back-up regularly [if you have critical files], be careful when you get attachments from those [even friends] that are unexpected or seem a bit odd for the sender, and keep up to date on operating systems updates.

I personally know of one case where someone got hit with ransomware.

If you do get hit with this malware, other than paying, you may want to have the disk wiped and Windows and your applications installed from scratch. Even if you paid, you do not want to take chances that remnants are on your system.

Watch out for scammer web sites impersonating companies

If you ever have to contact a company for whatever reason, do not trust the search engines completely. In many cases, they are not Microsoft [or Google, or Yahoo or…] support and will probably charge you quite a bit of money when contacting actual Microsoft [or Google, or Yahoo or…] help would be free in some cases.

Many times these are like the same scammers who call and complain that your computer is full of malware.

Find what you need from the company’s actual web site.

In particularly I came across one scammer web site. The typical web site that supports all kinds of operating systems and computer manufacturers and who claim they have many certified technicians available 24 hours a day. [Note that I will not mention the web site.]

But I really didn’t come across this “company” by a search engine searching for help.

Instead I clicked on a bad link and I got the following message [more after the image]….

scam_site

[I blurred out the scammers toll free number.]

The page above is on the same web site. So the question is why would a “legitimate” site have this also on their site?

If you try the page on another computer, you get the same two pieces of malware they claim is on your computer. Wow! A coincidence that both computers have the same malware. [And the only way to get rid of the message is to kill your browser completely from the Task Manager or reboot your computer. The page actually is harmless.]

Watch out from Conduit software

A word of warning. If you use DivX to view videos [as well as some other free software], it installs Conduit search software.

Conduit takes over your search engine and default home page in your web browser(s).

In Programs and Features it may be listed as “Conduit Search Protect” or “Search Protect by Conduit”. If you see it, uninstall and then use some antic-malware software to remove remnants.

Malwarebyte’s Anti-Malware software considers it as [a form of] malware. Additionally, if you use your favourite search engine, do a search on the keywords “is conduit malware”.

When technical support stinks

Never trust technical support.

Someone I know was expecting an Email but never received it. She is the typical Internet home user. Surf the Internet, Skype and Emails.

She contacted Google [somehow] because she uses Gmail. Unsure what – if anything – they based the fact the Email hasn’t shown up that she had some type of Trojan. This would be the reason that an Email is blocking web based mail from arriving on her computer? [She is using their website – not Windows Live Mail or whatever.]

Next she contacted her ISP. She must have described the symptoms because they said she also had a Trojan on her system. Now except for bandwidth and traffic testing, unsure if they ever did get into the computer. [I didn’t mention who they are but they don’t have the brightest people working for them anyways. As a hint of who they are, they are quite large in Canada.]

Finally, she uses Avast free edition for her anti-virus. Now I am definitely not a fan of Avast. A few years back, a company I was working at used Avast Pro [centrally managed] version. Would you believe it couldn’t even detect that fake anti-virus software that was all the rage a few years ago when it reported hundreds of malware on a system without even scanning. [The Avast clients were up to date.]

Back to the story. She managed to contact them. I was told they accessed her computer and said her system was infected.

Get this: They wanted $199 to clean up the system. Why? The free version [she was told] may not clean up everything – unlike the paid version.

So basically what is the point of using their software when it won’t even detect all malware – let alone clean them?

So she called me over.

  • I ran Malwarebytes Anti-Malware and it detected nothing.
  • I ran Microsoft’s Autoruns to see if anything fishy is loading up and found nothing.
  • I looked at the Avast quarantine and was empty [you figured it would have found something].
  • I updated Avast to the latest version and ran a full system scan. Nothing.

There has been nothing funny going on with the system. No pop-up messages. No delays.

On the other hand, it is Avast. Maybe it doesn’t detect malware.

[Oh. I had suggested something else but she declined.]

[As well, I sent her an Email and she got it almost immediately.]

Computer tip: Resetting Internet Explorer

Either by malware or some crappy toolbar, something will take over your home page and/or search engine in Internet Explorer. Sometimes you feel that things aren’t quite normal but you don’t suspect malware or anything.

The following procedure will reset Internet explorer by removing certain settings. It will disable just about every add-on and toolbar. So you will need to enable the ones that are required such as Adobe Flash Player [listed as Shockwave Flash Object], maybe Java, etc.

Note: Once the reset begins, you can’t go back!

Note: Try the procedure below. If it doesn’t work, then try what is mentioned in the last paragraph. The reason I say this is that the last paragraph will do a more serious job and may be unnecessary in some cases.

  1. Click on the Tools menu in Internet Explorer.
  2. Scroll down to the bottom of that menu and click on Internet Options.
  3. Select the Advanced tab [last in the window].
  4. Click in the Reset… button at the bottom of the window.
  5. Click on Reset. Don’t check the box next to Delete personal settings in the window.
  6. When done, exit Internet Explorer and then open it up. You will have to change your home page and other settings. When asked, choose the express settings.

If this doesn’t work, follow the same procedure above except at #5, check the box next to Delete personal settings in the window. This does a more complete reset as if you used IE for the first time.

Computer Tip: Helping to protect Internet Explorer

Here are a couple tips to secure Internet Explorer on a stand-alone computer [could apply on a domain as well]. Both of these tips would help prevent having crap like MyWebSearch or Conduit “software” from taking over the browser.

The first tip is to disable the changing of the home page in Internet Explorer.

To apply to all users, use the following registry setting:

 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
“HomePage”=dword:00000001

On the other hand, if you just want to apply the setting to an individual user [usually on a multi-user computer], use the following setting:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
“HomePage”=dword:00000001

At any time, you can change the default home page by exiting Internet Explorer, change the settings to zero, go into Internet Explorer and change the home page, exit Internet Explorer and then change the setting back to one.

No reboot is required. Internet Explorer 7 or greater required. When enforced, the option to change is greyed out.
In the second tip, you can prevent changing the default search provider. While you can have more than one provider and can manually choose a different search provider for a particular search [unsure why someone would do that], most will stick with one and have a backup.

To apply to all users, use the following registry setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions]
“NoChangeDefaultSearchProvider”=dword:00000001

On the other hand, if you just want to apply the setting to an individual user [usually on a multi-user computer], use the following setting:

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions]
“NoChangeDefaultSearchProvider”=dword:00000001

Note: It doesn’t stop the option “Prevent programs from suggesting changes to my default search provider.”

No reboot is required. Internet Explorer 7 or greater required.

Why MyWebSearch is not considered malware it is considered by most as spyware. It obviously uses its own search engine and those who created it are getting paid by unethical people to place their links first. [Hmmm, does Google do that? Another story.] Conduit software isn’t malware either but it seems to get into any browser. It probably more nuisance-ware than anything else. But like MyWebSearch, few like it.

These and others can be preventable by reading what the installation update software is doing to your system. Don’t just click “Next” all the time. Even better, if given the option choose a custom installation [hopefully you do get a way to make sure this crap can be avoided.

As usual, you should test the changes first in a non-production environment [where applicable] first before applying. Also as usual, use at your own risk. Unsure how to use the registry settings or unfamiliar with the registry? Ask a professional.