Entries Tagged 'Anti-Malware Tools' ↓

I thought I’d upload the stats from one of today’s clients. This client complained of “security alerts” which were just rogue anti-privacy applications.

I cleaned this PC with my bootable antimalware (avira and superantispyware) disc. I added the log below for your viewing pleasure (these infections are fresh)!

Happy Hunting:

=================================

Begin scan in ‘C:\’

C:\Documents and Settings\All Users\Application Data\kfwluzmr\afypazgp.exe

[DETECTION] Is the Trojan horse TR/Obfuscated.GX.577

[NOTE] A backup was created as ‘493e1a7c.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\Documents and Settings\Roger Rolper\Local Settings\Temp\163.tmp.exe

[DETECTION] Is the Trojan horse TR/Dldr.Zlob.wah

[NOTE] A backup was created as ‘48f81b36.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\Documents and Settings\Roger Rolper\Local Settings\Temp\164.tmp

[0] Archive type: RAR SFX (self extracting)

–> sav.exe

[DETECTION] Is the Trojan horse TR/Fake.UltimaAV.bh

–> sav.cpl

[DETECTION] Is the Trojan horse TR/FakeAV.BC.2

[DETECTION] Contains detection pattern of the dropper DR/FraudTool.MSAntivirus.V.1

[NOTE] A backup was created as ‘48f91b37.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\Documents and Settings\Roger Rolper\Local Settings\Temp\a.exe

[DETECTION] Is the Trojan horse TR/Drop.Zlob.waf

[NOTE] A backup was created as ‘492a1b31.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\Documents and Settings\Roger Rolper\Local Settings\Temp\b.exe.bak

[DETECTION] Is the Trojan horse TR/Obfuscated.GX.577

[NOTE] A backup was created as ‘4881845a.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\Documents and Settings\Roger Rolper\Local Settings\Temp\c.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[NOTE] The fund was classified as suspicious.

[NOTE] A backup was created as ‘492a1b32.qua’ ( QUARANTINE )

C:\Documents and Settings\Roger Rolper\Local Settings\Temp\file.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[NOTE] The fund was classified as suspicious.

[NOTE] A backup was created as ‘49311b6f.qua’ ( QUARANTINE )

C:\Documents and Settings\Roger Rolper\Local Settings\Temporary Internet Files\Content.IE5\OXG6II6L\file[1].exe

[DETECTION] Contains suspicious code HEUR/Crypted

[NOTE] The fund was classified as suspicious.

[NOTE] A backup was created as ‘49311c37.qua’ ( QUARANTINE )

C:\Program Files\AntiMalwareGuard\amg.exe

[DETECTION] Is the Trojan horse TR/Fakealert.abf

[NOTE] A backup was created as ‘492c1db7.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\Program Files\DIGStream\digstream.exe

[DETECTION] Contains detection pattern of the SPR/Dldr.DigStream program

[NOTE] A backup was created as ‘492c1e00.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\Program Files\SAV\sav.cpl

[DETECTION] Is the Trojan horse TR/FakeAV.BC.2

[NOTE] A backup was created as ‘493b203d.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\Program Files\SecureExpertCleaner\Reminder.exe

[DETECTION] Contains detection pattern of the SPR/SecExpClean.A.1 program

[NOTE] A backup was created as ‘49322041.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1126\A0054947.cpl

[DETECTION] Is the Trojan horse TR/FakeAV.AR

[NOTE] A backup was created as ‘48f52075.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1139\A0056657.dll

[DETECTION] Is the Trojan horse TR/Zlob.waf

[NOTE] A backup was created as ‘48f520a1.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

C:\WINDOWS\system32\drivers\etc\hosts.20071029-122133.backup

[DETECTION] Is the Trojan horse TR/Qhost.MY.3

[NOTE] A backup was created as ‘4938236f.qua’ ( QUARANTINE )

[NOTE] The file was deleted!

======================================

So, what is Vundo and how do you get infected with it?

Vundo is a pernicious Adware Trojan that is usually installed into your windows pc (Windows 2000, Windows XP, or Windows Vista) via an outdated Java Runtime Environment. Vundo, also known as Virtumonde and Virtumondo creates random letter DLL’s in C:\windows\system32 (tyeyavv.dll for example) that inject themselves into the winlogon.exe process as well as the explorer.exe process. Since Vundo injects itself into winlogon.exe removal can be very hard because winlogon.exe is in use almost every second.

The biggest problem with Vundo is not necessarily the removal process, but it’s actually the detection process since Vundo creators make hundreds of variants a day in an effort to evade detection (which seems to be working unfortunately).

What does Vundo do anyway?

Vundo displays unblockable popup and popunder ads even when users are not actively browsing the internet. Vundo has also been known to display fake system alerts that try to scare a user into buying a fake antivirus application. Vundo is essentially a platform for delivering scams to your PC on a massive not-stop scale.

How to remove Vundo using free software - My Vundo Removal Kit.

Removing Vundo for free can be a little tough since there are so many Vundo variants and every free program has a different detection database and heuretics algorithm.

When I encounter Vundo and a client does not want to pay for any software I “break out” my free Vundo removal kit. This kit is currently comprised of:

-MalwareBytes AntiMalware (malwarebytes.org)

-SuperAntiSpware (superantispyware.com)

-VundoFix (from atribune.org)

-UnDLL (from eset.com)

To start the Vundo removal process:

1. Backup any personal data to CD, DVD or flash drive.
2. Download and install MalwareBytes Anti-Malware.
3. Load MalwareBytes Anti-Malware and click the update tab and then click update to receive the latest updates.
4. Download and install SuperAntiSpyware.
5. Load SuperAntiSpyware. SuperAntiSpyware will ask you if you want to check for new rules and definitions. Choose yes.
6. Close SuperAntiSpyware.
7. Download VundoFix.
8. Download UnDLL.
9. Reboot your PC in Safe Mode.
10. While in safe mode load MalwareBytes Anti-Malware and perform a full scan.
11. When the scan is complete click show results.
12. Remove any checked items.
13. Reboot if MalwareBytes asks you to.
14. Enter Safemode again.
15. Load SuperAntiSpyware.
16. Click Preferences and click the scanning control tab.
17. Check on “Terminate memory threats before quarantining”.
18. Close preferences and click the “Scan your computer ” button.
19. Select “Perform Complete scan” and click next
20. Let the scan complete and remove anything it finds.
21. Next, we’ll finish up the Vundo detection and removal process by using VundoFix
22. Open VundoFix and click the “Scan for Vundo” button.
23. If any Vundo infections still remain click the “Fix Vundo” button.
24. At this point Vundo has most likely been neutralized.
25. Reboot your pc.
26. You should be Vundo Free now.
27. Download and install the latest copy of the Java Runtime Environment and keep it updated.
28. Do yourself a favor and Purchase Spyware Doctor with AntiVirus
    (one license protects 3 PC’s). It’s the only antivirus that I’ve tested this year to successfully detect and remove almost every variant of Vundo with very little effort.

If you think any Vundo Trojans have been missed in c:\windows or c:\windows\system32 then you scan submit those files to virustotal.com for analysis. If the file you submit comes back as a possible infection then you may forcibly remove it using UnDLL. If your still getting popup ads then you may want to run a HiJackThis scan and email me the log file or just install Spyware Doctor with AntiVirus.

Here is my latest review. In this review I pit Spyware Doctor with AntiVirus against 100+ pieces of Malware.

Spyware Doctor with AntiVirus was the absolute best anti-malware application that I’ve tested all year! See it for yourself!

Spyware Doctor with AntiVirus: Part1 - Install and Update

Spyware Doctor with AntiVirus: Part2 - Install and Configure

Spyware Doctor with AntiVirus: Part3 - Running and Removing

Spyware Doctor with AntiVirus: Part4 - Running and Removing

Spyware Doctor with AntiVirus: Part5 - Conclusion Part 1

Spyware Doctor with AntiVirus: Part6 - Conclusion Part 2

I just started working on my next anti-malware review and I’m completely blown away on how well PC Tools Spyware Doctor with Antivirus scored! It was absolutely perfect!! The only downer is that it’s not free, but hey…who cares…looks like malware has met it’s match (so far ).

I’m working on the video review right now.

ThreatFire basic can identify and halt malware processes and activities, it does NOT remove them. For malware removal indentified by Threatfire you need to buy the pro version which costs $29.95. I personally tested ThreatFire on my infected virtual machine and was pretty satisfied with how it prevented the malware from doing anything. The malware on the VM was still there, but was effectively allowed to do nothing.

PC Tools ThreatFire Basic is an excellent add-on to your current anti-virus. Here are some reasons why.

• It’s Free.
• Does not require updates (they are available though).
• Provides a second opinion.
• Prevents malware from doing anything. Once a malicious process is identified it’s in the ThreatFire prison.
• The full version is cheap! $29.95 for some really nice extra functionality.

Hi Everyone…Matt here… I just added a few product reviews and downloads here.  These are the anti-malware applications I use on all my client appointments.

How to Search safely using McAfee SiteAdvisor

In this article I will teach you how to install and use the free verison of McAfee SiteAdvisor. Simply put SiteAdvisor tells you if a website is bad or good. So, what is a bad website (according to SiteAdvisor):

• websites that contain links to malware (viruses, spyware, exploits).
  
• websites that link to other bad websites.
  
• websites participate in fraudulent activities .
  
• websites that excessively spam email addresses.
  

Let’s begin the install now. Please follow the 8 simple steps below to start searching safely.

1. Open your web browser (either internet explorer or firefox). This tutorial is written using firefox, but the internet explorer install of SiteAdvisor is much the same.
   
2. Go to www.siteadvisor.com. You will see a download link that looks like the image below. Click the Download button.
   
   
3. Click the I agree button and then click Install SiteAdvisor
   
   
4. Firefox or Internet explorer will most likely ask you if you trust the download or website. You should allow IE or firefox to download (click options in firefox and add the SiteAdvisor site).
   
5. Once you allow the website in firefox you need to click the download link in the image above again. Then you will see the image below. Click Install Now.
   
   
6. Restart firefox and then SiteAdvisor will be loaded and working.
   
7. Now the fun starts…go to google or yahoo and do a search for whatever. I searched for remove malware. Look at the image below. Behind each link is a either a red x, a green check mark or an exclamation mark. Sites with red X’s should always be avoided, sites with green check marks are safe to visit and sites with exclamation marks means that if you do visit them be careful.
   

8. Looking at the example above download3000 dot com is a red x website, but why are red? Move your mouse over the red x to find out why you shouldn’t visit this website.

Wow, this site is hosting a lot of red downloads (probably adware based files), so it’s safe to say I’ll not be visiting this site.

Site-Advisor is a really nice addon for browsing safely and preventing malware from being accidently installed. Red and Green icons tell even the most basic pc user what they can and can’t view on the internet while searching.

Just about every week I encounter some malware that is completely protected from deletion no matter what anti-malware application I use, even in safemode. For these annoying files I use Pocket Killbox (from bleepingcomputer). Pocket Killbox can remove any piece of malware, or really any file.

Below are some instructions on how to delete any virus ( malware ) :

How to Delete Any File.

1. Download Pocket KillBox from here to your Desktop.
2. Open Kill Box and you will see the interface below.

3. Click the yellow folder to browse to the file you wish to delete.
4. Make SURE your option match the ones below. Of course your file chosen will be different.

5. Click the red x to delete the file.
6. Reboot.
7. It will look like the file is there still, however this is an empty file now and may be ignored or freely deleted.

VB100 (an organization that does independent, unbiased anti-malware testing) just completed their tests of Vista Anti-virus software packages and briefly stated that Windows Live OneCare stopped EVERY piece of malware thrown at it…very cool, I’ll have to see how Windows Live OneCare does against my infected VM.

Here’s the article

Are you looking for the latest free malware killer ?  Well, I have a few of them (malware killers) to list here:

1. ComboFix - Probably one of the malware removal utilities as well as post malware cleanup utilities.  Combofix is ONLY for Windows XP.  For best results run in safe mode.
2. SmitFraudFix - Great free application for removing rogue anti-malware like virus heat, malware alarm, spyguard pro, etc.  For best results run in safe mode.
3. MalwareBytes AntiMalware - amazing for detecting threats and completely removing them.  Malwarebytes is extremlely fast, small and updated on a constant basis.